User accounts may get locked out in a mixed environment with Windows 2000-based domains and Microsoft Windows NT 4.0-based domains.
This issue can also occur when new user accounts are created and the user changes their password on initial logon. If the default account policy is configured for User Must Change Password at Next Logon, this can also occur. If the user connects to NT 4.0 or Windows 2000 servers immediately on login, the account can be locked out within seconds depending on the number of bad passwords allowed within Account Lockout threshold.
When a Windows 2000-based domain controller receives an NTLM authentication request, it tries to validate the password in its database. If it does not succeed, it increments the bad password count, and passes the request to the primary domain controller because the database may not be synchronized.
If the primary domain controller responds to the domain controller that forwarded the request with successful validation, the bad password count for the user on the domain controller should be reset to 0. However, the domain controller is not resetting the count to 0.
This problem may only be seen in the Windows 2000 environment because UAS replication does not occur as frequently as in the Windows NT 4.0 domain environment. User passwords between domain controllers may be out of synchronization for longer period of time. Also, the bad password count field is not replicated between the domain controllers.
The fix described in this article should be applied to all Windows 2000-based domain controllers to eliminate the issue described above.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later: