How Windows NT Handles Incorrect User/Machine Account Passwords

ID: Q200900

The information in this article applies to:

Microsoft Windows NT Server versions 3.51, 4.0
Microsoft Windows NT Workstation versions 3.51, 4.0
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server

SUMMARY

If you type an incorrect password when you log on to a computer running Windows NT Workstation 4.0 or later that has a secure channel with a backup domain controller (BDC), the BDC checks the primary domain controller (PDC) before it denies the logon attempt to the workstation.

If the PDC has the updated password, the BDC grants the secure channel request with the workstation and then immediately synchronizes with the PDC.

MORE INFORMATION

Machine account passwords behave differently than logon passwords. During the authentication process when the workstation is setting up a secure channel with a BDC, it sends the machine account password for authentication. If the password the workstation sends does not match the password on the BDC for this machine account, the BDC does not verify the password with the PDC. Instead, it logs an error 5722 in the System Event log and denies the logon attempt to the workstation.

In Windows 2000 this behavior changes. Machine account passwords behave like user account passwords and the BDC verifies a password with the PDC before denying a logon attempt to the workstation.

Additional query words: kbDSupport

Keywords :
Version : WINDOWS:2000; winnt:3.51,4.0
Platform : WINDOWS winnt
Issue type : kbinfo