Windows NT Account Lockout Feature Unsupported In Mixed Domains

 Last reviewed: September 9, 1996
Article ID: Q125998
The information in this article applies to:
  • Microsoft LAN Manager version 2.x
  • Microsoft Windows NT Advanced Server version 3.1
  • Microsoft Windows NT Server version 3.5
  • Microsoft Windows NT Server version 3.51
  • Microsoft Windows NT Server version 4.0

SUMMARY

Account lockout is only supported in a domain consisting entirely of Windows NT 3.5 servers or later. Account lockout is not supported by downlevel servers such as Windows NT Advanced Server 3.1 and LAN Manager 2.x. If account lockout is used in a mixed environment, security problems may occur.

MORE INFORMATION

Account lockout is available as a new feature in domains consisting of Windows NT 3.5, 3.51 and 4.0 Servers configured as domain controllers The Windows NT Server System Guide defines account lockout as follows: 

   The account lockout feature enables you to make Windows NT Server more
   secure from intruders who try to log on by guessing the passwords of
   existing user accounts. When account lockout is enabled, a user account
   becomes locked if there are a number of incorrect attempts to log on to
   that account within a specified amount of time. Locked accounts cannot
   log on. A locked account remains locked until an administrator unlocks
   it, or until a specified amount of time passes, depending on how you
   configure account lockout. By default, account lockout is disabled.
If downlevel servers exist in the domain, account lockout cannot be considered a dependable security feature. For example, a Windows NT Advanced Server backup domain controller (BDC) may authenticate a user even though the account is marked as locked out on the Windows NT 3.5X\4.0 domain controller. Also, Windows NT Advanced Server BDCs are not able to participate in getting an account unlocked. The Windows NT Advanced Server is able to increment the bad password count when the user logs in with an incorrect password, and is able to report the increment to the Windows NT 3.5X/4.0 domain controller. However, the Windows NT Advanced Server BDC does not inform the Windows NT 3.5X\4.0 domain controller if the user logs on with the correct password. Consequently, the bad password count does not get reset after the successful logon.

The account lockout feature of LAN Manager is not compatible with the account lockout feature of Window NT 3.5X/4.0 Server. The Windows NT 3.5X\4.0 domain controller does not replicate any account lockout information to a LAN Manager BDC. If the account is marked locked out on the Windows NT 3.5X\4.0 domain controller, the LAN Manager BDC may still validate the user. The LAN Manager BDC will show account lockout policy set to Never, even in a Windows NT 3.5X\4.0 domain where account lockout has been enabled.

KBCategory: kbnetwork
KBSubcategory: ntdomain ntsecurity NTSrvWkst
Additional reference words: 2.00 2.10 2.20 2.20a 2.20b 2.20c 3.10 3.50 4.00
prodnt crossnet protocol NTAS



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: September 9, 1996
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.