Windows NT Account Lockout Feature Unsupported In Mixed Domains

ID: Q125998

The information in this article applies to:

Microsoft LAN Manager version 2.x
Microsoft Windows NT Advanced Server version 3.1
Microsoft Windows NT Server versions 3.5, 3.51, 4.0

SUMMARY

Account lockout is only supported in a domain consisting entirely of Windows NT 3.5 servers or later. Account lockout is not supported by downlevel servers such as Windows NT Advanced Server 3.1 and LAN Manager 2.x. If account lockout is used in a mixed environment, security problems may occur.

MORE INFORMATION

Account lockout is available as a new feature in domains consisting of Windows NT 3.5, 3.51 and 4.0 Servers configured as domain controllers The Windows NT Server System Guide defines account lockout as follows:

The account lockout feature enables you to make Windows NT Server more secure from intruders who try to log on by guessing the passwords of existing user accounts. When account lockout is enabled, a user account becomes locked if there are a number of incorrect attempts to log on to that account within a specified amount of time. Locked accounts cannot log on. A locked account remains locked until an administrator unlocks it, or until a specified amount of time passes, depending on how you configure account lockout. By default, account lockout is disabled.

If downlevel servers exist in the domain, account lockout cannot be considered a dependable security feature. For example, a Windows NT Advanced Server backup domain controller (BDC) may authenticate a user even though the account is marked as locked out on the Windows NT 3.5X\4.0 domain controller. Also, Windows NT Advanced Server BDCs are not able to participate in getting an account unlocked. The Windows NT Advanced Server is able to increment the bad password count when the user logs in with an incorrect password, and is able to report the increment to the Windows NT 3.5X/4.0 domain controller. However, the Windows NT Advanced Server BDC does not inform the Windows NT 3.5X\4.0 domain controller if the user logs on with the correct password. Consequently, the bad password count does not get reset after the successful logon.

The account lockout feature of LAN Manager is not compatible with the account lockout feature of Window NT 3.5X/4.0 Server. The Windows NT 3.5X\4.0 domain controller does not replicate any account lockout information to a LAN Manager BDC. If the account is marked locked out on the Windows NT 3.5X\4.0 domain controller, the LAN Manager BDC may still validate the user. The LAN Manager BDC will show account lockout policy set to Never, even in a Windows NT 3.5X\4.0 domain where account lockout has been enabled.

Additional query words:


Keywords          : ntdomain ntsecurity NTSrvWkst 
Version           : winnt:3.5,3.51,4.0
Platform          : winnt 
Issue type        :

Last Reviewed: March 19, 1999