You are currently offline, waiting for your internet to reconnect

Increased account lockout frequency in a Windows 2000 domain

This article was previously published under Q264678
SYMPTOMS
In a domain that contains Microsoft Windows 2000-based domain controllers and Windows 2000-based servers or clients, users may experience account lockouts with fewer incorrect authentication attempts than the domain's Account Lockout policy may indicate. For example, with the domain Account Lockout policy set to allow five incorrect password attempts, users' accounts may be locked out after only three attempts with invalid credentials.

The Netlogon.log file on the primary domain controller shows only two 0xC000006A events for the user before the user is locked out:
05/26 12:25:47 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Entered
05/26 12:25:47 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Returns 0xC000006A
05/26 12:26:34 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Entered
05/26 12:26:34 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Returns 0xC000006A
05/26 12:26:54 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Entered
05/26 12:26:55 [LOGON] SamLogon: Network logon of domain\user1 from MYSERVER1 Returns 0xC0000234
CAUSE
When the client tries to authenticate the user with a resource, Windows 2000 first uses the Kerberos authentication method. If the Kerberos attempt does not succeed, the client then tries the Windows NT challenge/response (NTLM) authentication protocol. Each of these methods presents the user's credentials for authentication purposes. Therefore, if a user specifies an incorrect password, the user's account is "charged" twice for one authentication attempt.

Netlogon logging tracks only NTLM authentication attempts. To track invalid Kerberos logon attempts, you must use Kerberos logging.
RESOLUTION
To resolve this problem, install the latest Windows 2000 service pack. For additional information about how to obtain the latest service pack for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 4 (SP4).
MORE INFORMATION
For additional information about service packs and hotfixes that are available to resolve account-lockout issues in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
817701 Service packs and hotfixes that are available to resolve account lockout issues
For additional information about Netlogon logging, click the following article number to view the article in the Microsoft Knowledge Base:
189541 Using the checked Netlogon.dll to track account lockouts
For additional information about Kerberos event logging, click the following article number to view the article in the Microsoft Knowledge Base:
262177 How to enable Kerberos event logging
For additional information about a related topic, click the following article number to view the article in the Microsoft Knowledge Base:
109626 Enabling debug logging for the Netlogon Service
Properties

Article ID: 264678 - Last Review: 02/28/2007 18:20:00 - Revision: 4.3

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • kbenv kbnetwork kbprb KB264678
Feedback