Troubleshooting frequent lockout's for a customer.
I did download ALTools.exe from microsoft and the LockoutStatus.exe utility displays the bad password count on all our DC's
(search microsoft technet for more info on the tools)
there is one DC that is showing that my bad password count is 1 (this is not my regular logonserver)
i did force 2 bad logons, and they were properly displayed at my default logon server, and also when I checked my tab additional account info (ACCTINFO.DLL - also in the ALTools.exe) I had 2 as my bad password count -
it should be 3..... because I am at 2 at my default logonserver, and this other one is at 1.....
then I did a succesfull logon, and the bad password count was reset again at the default logon server, but not the other DC, but in the additional account info page, it showed that my bad password count was 0 again.
can someone explain the replication / bad password count and reset of this counter when there is a succesfull logon. in my opinion it should sync around the globe that my count should be 0 again. there may be a delay, but there is 24 hours between the 2 checks, and no failed logons (only succesfull logons) so they should all be 0 ???? I was told that it could take up to 30 minutes before this is replicated. but it is now 24 hours later and still at 1 for that DC.....
SO.... what I now did was use terminal services to connect to this distant DC and did a logon attempt with a succesfull password entry, and now it was reset on this DC too....
so I guess this proves that the DC's do not Sync the bad password count, and if you are loging on to various servers around the globe, you could have various bad logon counts around the globe, and if you are unlucky that one is already at 3 the first time you try to log in and accedentally put in a faulty password, it is locked eventhough you may have used the same account somewhere else in the world and did a succesfull logon.
is the above assumption correct, and is there something that can be done to have the bad password count synced automatically ??
if somone can answer the questions in bold ...
thanks in advance
I did download ALTools.exe from microsoft and the LockoutStatus.exe utility displays the bad password count on all our DC's
(search microsoft technet for more info on the tools)
there is one DC that is showing that my bad password count is 1 (this is not my regular logonserver)
i did force 2 bad logons, and they were properly displayed at my default logon server, and also when I checked my tab additional account info (ACCTINFO.DLL - also in the ALTools.exe) I had 2 as my bad password count -
it should be 3..... because I am at 2 at my default logonserver, and this other one is at 1.....
then I did a succesfull logon, and the bad password count was reset again at the default logon server, but not the other DC, but in the additional account info page, it showed that my bad password count was 0 again.
can someone explain the replication / bad password count and reset of this counter when there is a succesfull logon. in my opinion it should sync around the globe that my count should be 0 again. there may be a delay, but there is 24 hours between the 2 checks, and no failed logons (only succesfull logons) so they should all be 0 ???? I was told that it could take up to 30 minutes before this is replicated. but it is now 24 hours later and still at 1 for that DC.....
SO.... what I now did was use terminal services to connect to this distant DC and did a logon attempt with a succesfull password entry, and now it was reset on this DC too....
so I guess this proves that the DC's do not Sync the bad password count, and if you are loging on to various servers around the globe, you could have various bad logon counts around the globe, and if you are unlucky that one is already at 3 the first time you try to log in and accedentally put in a faulty password, it is locked eventhough you may have used the same account somewhere else in the world and did a succesfull logon.
is the above assumption correct, and is there something that can be done to have the bad password count synced automatically ??
if somone can answer the questions in bold ...
thanks in advance
