Account lockout event also stored in Security event log on domain controller

Article translations Article translations
Article ID: 182918 - View products that this article applies to.
This article was previously published under Q182918


IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information on how to do this, view the "Restoring the Registry" online Help topic in Regedit.exe or the "Restoring a Registry Key" online Help topic in Regedt32.exe.
Expand all | Collapse all

On This Page

SYMPTOMS

When users enter a series of incorrect passwords in an attempt to log on to Windows NT using domain accounts and the Bad Logon Attempts limit for the account is reached, the account is locked out at the domain controller.

Windows NT generates an account lockout event (Event ID: 539) on the workstation where the failed logon attempts occurred if the audit policy on that workstation enables auditing of failed logon/logoff events. However, no event is logged at the domain controller. Administrators must search the event logs of all client systems to locate the computer where the bad password attempts originated.

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 How to obtain the latest Windows NT 4.0 service pack

Hotfix information

Before you apply the hotfix

Because this hotfix makes a modification to the on-disk storage of the LSA data information, Microsoft does not recommend that it be uninstalled. Perform the following steps to ease the transition back to a pre-LSA2-fix configuration in case you experience problems with the hotfix:
  1. Perform a Full System Backup.
  2. Run Rdisk /s. Using the /s command-line switch with Rdisk.exe causes the Sam._ and Security._ databases to be copied to the %Systemroot%\Repair folder.
  3. Create a temporary folder under the %Systemroot% folder called Lsabackout.
  4. Copy the following files from the %Systemroot\System32 folder to the %Systemroot%\Lsabackout folder as they are updated by LSA2-fix:
    Eventlog.dll
    Lsasrv.dll
    Msaudite.dll
    Msv1_0.dll
    Netcfg.dll
    Samlib.dll
    Samsrv.dll
    Services.exe
    Srvmgr.exe
    Xactsrv.dll
  5. Create an updated Emergency Repair Disk (ERD) which updates the on-disk SAM and Registry information in the %Systemroot%\System32\Config folder.


Note This hotfix supersedes the fix referred to in the following articles in the Microsoft Knowledge Base:

ARTICLE-ID: 154087
TITLE : Access Violation in LSASS.EXE Due to Incorrect Buffer Size

ARTICLE-ID: 174205
TITLE : LSASS May Use a Large Amount of Memory on a Domain Controller

ARTICLE-ID: 129457
TITLE : Anonymous Connections May Be Able to Obtain the Password Policy


This hotfix has been posted as Lsa2fixi.exe (x86) and Lsa2fixa.exe (Alpha). For your convenience, the English version of this post-SP3 hotfix has been posted to the following Internet location. However, Microsoft recommends that you install Windows NT 4.0 Service Pack 4 to correct this problem.

NOTE: An updated version of this hotfix was posted on July 20, 1998 and provides an additional security level to systems running Windows NT 4.0 Service Pack 3.

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lsa2-fix/

If you run Systems Management Server on systems where this hotfix is applied, the SNMP Event Log Extension Agent (Snmpelea) generates the following Event ID 3007 error:

   Error opening event log file Security.
   Log will not be processed.
   Return code from OpenEventLog is 1314.
				


The SNMP Event Log Extension Agent requires an update to manage the security event log. To resolve the SNMP Event Log Extension Agent problem, please see the following article in the Microsoft Knowledge Base:

ARTICLE-ID: 183770
TITLE : SMS: Snmpelea Unable to Open Security Event Log

STATUS

Microsoft has confirmed that this is a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.

Properties

Article ID: 182918 - Last Review: November 1, 2006 - Revision: 5.2
APPLIES TO
  • Microsoft Windows NT Server 4.0, Terminal Server Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Server 4.0 Enterprise Edition
  • Microsoft BackOffice Small Business Server 4.0
Keywords: 
kbbug kbfea kbfix KB182918

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com