Account Lockout Because Bad Password Count Field (BadPwdCount) is Not Reset to 0

Article ID: 263821 - View products that this article applies to.
This article was previously published under Q263821
Expand all | Collapse all

SYMPTOMS

User accounts may get locked out in a mixed environment with Windows 2000-based domains and Microsoft Windows NT 4.0-based domains.

This issue can also occur when new user accounts are created and the user changes their password on initial logon. If the default account policy is configured for User Must Change Password at Next Logon, this can also occur. If the user connects to NT 4.0 or Windows 2000 servers immediately on login, the account can be locked out within seconds depending on the number of bad passwords allowed within Account Lockout threshold.
Back to the top | Give Feedback

CAUSE

When a Windows 2000-based domain controller receives an NTLM authentication request, it tries to validate the password in its database. If it does not succeed, it increments the bad password count, and passes the request to the primary domain controller because the database may not be synchronized.

If the primary domain controller responds to the domain controller that forwarded the request with successful validation, the bad password count for the user on the domain controller should be reset to 0. However, the domain controller is not resetting the count to 0.

This problem may only be seen in the Windows 2000 environment because UAS replication does not occur as frequently as in the Windows NT 4.0 domain environment. User passwords between domain controllers may be out of synchronization for longer period of time. Also, the bad password count field is not replicated between the domain controllers.

The fix described in this article should be applied to all Windows 2000-based domain controllers to eliminate the issue described above.
Back to the top | Give Feedback

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910
(http://support.microsoft.com/kb/260910/EN-US/ )
How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date         Time     Version         Size      File name
-----------------------------------------------------------------
7/17/2001    04:52p   5.0.2195.3870   501,520   Samsrv.dll (56-bit)
7/18/2001    05:55p   5.0.2195.3858   355,088   Advapi32.dll
7/18/2001    05:55p   5.0.2195.3649   135,440   Dnsapi.dll
7/18/2001    05:55p   5.0.2195.3649    94,992   Dnsrslvr.dll
7/18/2001    05:51p   5.0.2195.3870   519,440   Instlsa5.dll
7/18/2001    05:56p   5.0.2195.3817   142,608   Kdcsvc.dll
7/17/2001    05:08p   5.0.2195.3872   197,392   Kerberos.dll
6/26/2001    08:16p   5.0.2195.3781    69,456   Ksecdd.sys
7/17/2001    04:52p   5.0.2195.3870   501,520   Lsasrv.dll
7/17/2001    04:52p   5.0.2195.3870    33,552   Lsass.exe
7/18/2001    05:56p   5.0.2195.3776   306,448   Netapi32.dll
7/18/2001    05:56p   5.0.2195.3776   357,648   Netlogon.dll
7/18/2001    05:56p   5.0.2195.3868   909,072   Ntdsa.dll
7/18/2001    05:56p   5.0.2195.3848   382,224   Samsrv.dll
7/18/2001    05:56p   5.0.2195.3781   128,784   Scecli.dll
7/18/2001    05:55p   5.0.2195.3649   299,792   Scesrv.dll
7/18/2001    05:55p   5.0.2195.3649    48,400   W32time.dll
5/29/2001    09:26a   5.0.2195.3649    56,080   W32tm.exe

Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
Back to the top | Give Feedback

MORE INFORMATION

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173
(http://support.microsoft.com/kb/265173/EN-US/ )
Datacenter Program and Windows 2000 Datacenter Server Product
For additional information on how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861
(http://support.microsoft.com/kb/296861/EN-US/ )
Use QChain.exe to Install Multiple Hotfixes with One Reboot
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149
(http://support.microsoft.com/kb/249149/EN-US/ )
Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Back to the top | Give Feedback

Properties

Article ID: 263821 - Last Review: February 19, 2007 - Revision: 3.4
APPLIES TO
  • Microsoft Windows 2000 Service Pack 1
  • Microsoft Windows 2000 Service Pack 2
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Service Pack 1
  • Microsoft Windows 2000 Service Pack 2
Keywords: 
kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbsecurity kbhotfixserver KB263821
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top