How Windows NT Handles Incorrect User/Machine Account Passwords

ID: Q200900


The information in this article applies to:


SUMMARY

If you type an incorrect password when you log on to a computer running Windows NT Workstation 4.0 or later that has a secure channel with a backup domain controller (BDC), the BDC checks the primary domain controller (PDC) before it denies the logon attempt to the workstation.

If the PDC has the updated password, the BDC grants the secure channel request with the workstation and then immediately synchronizes with the PDC.


MORE INFORMATION

Machine account passwords behave differently than logon passwords. During the authentication process when the workstation is setting up a secure channel with a BDC, it sends the machine account password for authentication. If the password the workstation sends does not match the password on the BDC for this machine account, the BDC does not verify the password with the PDC. Instead, it logs an error 5722 in the System Event log and denies the logon attempt to the workstation.

In Windows 2000 this behavior changes. Machine account passwords behave like user account passwords and the BDC verifies a password with the PDC before denying a logon attempt to the workstation.

Additional query words: kbDSupport


Keywords          : 
Version           : winnt:3.51,4.0
Platform          : winnt 
Issue type        : kbinfo 

Last Reviewed: May 28, 1999