Article ID: 278299 - Last Review: October 27, 2006 - Revision: 3.4 Locked-Out Account That Is Reset at a Different Domain Controller May Be Locked OutThis article was previously published under Q278299 SYMPTOMS When you are using account-lockout policies in a domain
with more than one domain controller (DC), if an account was previously locked
out and then unlocked by an administrator, the account may be locked out after
only one bad password attempt. CAUSE This problem can occur because Windows 2000 maintains a
bad-password count for each user. This count is the number of bad password
attempts that have been made since the last successful logon. When user account
details are replicated between DCs, the locked-out state is replicated.
However, bad-password counts are not replicated between DCs. If a user is locked out by exceeding the maximum bad-password count that has been configured by a policy on the authenticating DC, the user account is marked as locked out, and the locked-out state is replicated to other DCs. If an administrator then unlocks the account, the bad-password count for the user is set to zero on the DC that is processing the unlock request, and the unlocked state is replicated to other DCs, but the bad password count (now zero) is not replicated to other DCs. Because of this, if the DC that authenticates the user's next logon attempt is the DC that originally locked out the user and the user account was unlocked on a different DC, the authenticating DC sees an unlocked account that has a bad-password count at the lockout threshold that has been set by a policy. Under the preceding conditions, one bad password attempt is sufficient to lock out the same account again. RESOLUTIONTo resolve this problem, obtain the latest service
pack for Windows 2000. For additional information, click the following article
number to view the article in the Microsoft Knowledge Base: 260910
(http://support.microsoft.com/kb/260910/EN-US/
)
How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the
following file attributes or later:Date Time Version Size File name ----------------------------------------------------------------- 5/31/2001 11:13p 5.0.2195.3663 501,520 Lsasrv.dll(56-bit) 5/31/2001 03:30p 5.0.2195.3649 354,576 Advapi32.dll 5/31/2001 03:37p 5.0.2195.3649 519,440 Instlsa5.dll 5/31/2001 03:31p 5.0.2195.3649 142,608 Kdcsvc.dll 5/30/2001 02:55p 5.0.2195.3649 209,008 Kerberos.dll 5/29/2001 09:26a 5.0.2195.3649 69,456 Ksecdd.sys 5/29/2001 09:26a 5.0.2195.3649 501,520 Lsasrv.dll 5/29/2001 09:26a 5.0.2195.3649 33,552 Lsass.exe 5/31/2001 03:31p 5.0.2195.3652 908,560 Ntdsa.dll 5/31/2001 03:31p 5.0.2195.3649 382,736 Samsrv.dll STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.
This problem was first corrected in Windows 2000 Service
Pack 3. MORE INFORMATIONFor additional information about how
to obtain a hotfix for Windows 2000 Datacenter Server, click the article number
below to view the article in the Microsoft Knowledge Base: 265173
(http://support.microsoft.com/kb/265173/EN-US/
)
The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple
hotfixes with only one reboot, click the article number below to view the
article in the Microsoft Knowledge Base: 296861
(http://support.microsoft.com/kb/296861/EN-US/
)
Use QChain.exe to Install Multiple Hotfixes with One Reboot
For additional information about how to
install Windows 2000 and Windows 2000 hotfixes at the same time, click the
article number below to view the article in the Microsoft Knowledge Base: 249149
(http://support.microsoft.com/kb/249149/EN-US/
)
Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Back to the top
|
