Article ID: 264678 - Last Review: February 28, 2007 - Revision: 4.3 Increased account lockout frequency in a Windows 2000 domainThis article was previously published under Q264678 SYMPTOMS In a domain that contains Microsoft Windows 2000-based domain
controllers and Windows 2000-based servers or clients, users may experience
account lockouts with fewer incorrect authentication attempts than the domain's
Account Lockout policy may indicate. For example, with the domain Account
Lockout policy set to allow five incorrect password attempts, users' accounts
may be locked out after only three attempts with invalid credentials. The Netlogon.log file on the primary domain controller shows only two 0xC000006A events for the user before the user is locked out:
05/26 12:25:47 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Entered 05/26 12:25:47 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Returns 0xC000006A 05/26 12:26:34 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Entered 05/26 12:26:34 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Returns 0xC000006A 05/26 12:26:54 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Entered 05/26 12:26:55 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Returns 0xC0000234 CAUSE When the client tries to authenticate the user with a
resource, Windows 2000 first uses the Kerberos authentication method. If the
Kerberos attempt does not succeed, the client then tries the Windows NT
challenge/response (NTLM) authentication protocol. Each of these methods
presents the user's credentials for authentication purposes. Therefore, if a
user specifies an incorrect password, the user's account is "charged" twice for
one authentication attempt. Netlogon logging tracks only NTLM authentication attempts. To track invalid Kerberos logon attempts, you must use Kerberos logging. RESOLUTIONTo resolve this problem, install the latest Windows 2000 service pack.
For additional information about how to obtain the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
260910
(http://support.microsoft.com/kb/260910/
)
How to obtain the latest Windows 2000 service pack
STATUSMicrosoft has
confirmed that this is a problem in the Microsoft products that are listed at
the beginning of this article.
This problem was first corrected in Windows 2000 Service Pack 4 (SP4). MORE INFORMATION
For additional information about service packs and hotfixes that are available to resolve account-lockout issues in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
817701
(http://support.microsoft.com/kb/817701/
)
Service packs and hotfixes that are available to resolve account lockout issues
For additional information
about Netlogon logging, click the following article number to view the article in the Microsoft Knowledge Base:
189541
(http://support.microsoft.com/kb/189541/
)
Using the checked Netlogon.dll to track account lockouts
For additional information
about Kerberos event logging, click the following article number to view the article in the Microsoft Knowledge Base:
262177
(http://support.microsoft.com/kb/262177/
)
How to enable Kerberos event logging
For additional information about a related
topic, click the following article number to view the article in the Microsoft Knowledge Base:
109626
(http://support.microsoft.com/kb/109626/
)
Enabling debug logging for the Netlogon Service
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Back to the top
|
