How the BadPwdCount attribute works in Windows 2000 and in Windows Server 2003

Article translations Article translations
Article ID: 900215 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

This articles discusses how the bad password count attribute (BadPwdCount) works in Microsoft Windows 2000 and in Microsoft Windows Server 2003. When you submit incorrect credentials to the Active Directory directory service, the value of the BadPwdCount attribute of that user object increases. This attribute is used to determine whether a user account will be locked out based on the password lockout policy.

In Windows 2000 and in Windows Server 2003, the value of the BadPwdCount attribute should increase one time when the following conditions are true:
  • You use either the user principal name (UPN) or the Security Accounts Manager (SAM) account name (sAMAccountName) to log on to a computer.
  • You use the "Domain\UserId" format and Active Directory Service Interfaces (ADSI) functions to bind your incorrect credentials to Active Directory. For example, you use the IADsOpenDsObject::OpenDsObject method or the ADsOpenObject function.
In Windows 2000, the BadPwdCount attribute increases two times when the following conditions are true:
  • You use either the UPN or the sAMAccountName to log on to a computer.
  • You use the UPN and ADSI functions to bind your incorrect credentials to Active Directory. For example, you use the IADsOpenDsObject::OpenDsObject method or the ADsOpenObject function.


However, in Windows Server 2003, the BadPwdCount attribute increases only one time when you use the UPN to bind your incorrect credentials to Active Directory.

MORE INFORMATION

The BadPwdCount attribute should increase one time when you submit incorrect credentials to Active Directory.

However, in Windows 2000, when you use the IADsOpenDsObject::OpenDsObject method and the UPN to submit credentials, the credentials are submitted one time by NTLM authentication and one time by Kerberos authentication. Therefore, the BadPwdCount attribute increases two times.

In Windows Server 2003, the double increment does not occur.

For more information about the BadPwdCount attribute, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms675244.aspx
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
817701 Service packs and hotfixes that are available to resolve account lockout issues

Properties

Article ID: 900215 - Last Review: January 30, 2007 - Revision: 1.3
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
Keywords: 
kbhowto kbinfo KB900215

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com