Are the failed password attempts to different domain controllers cumulative

active-directory

If I have two domain controllers (DCs) in my environment and two different computers are used to log in to the separate domain controllers, can the password attempts be exceeded?

Additionally, does the reset mechanism work in the same way?

Example for clarity:
My Password Lockout Limit is set to five attempts

  • Computer 1 attempts login into DC1 – unsuccessfully
  • Computer 1 attempts login into DC1 – unsuccessfully
  • Computer 1 attempts login into DC1 – unsuccessfully

And

  • Computer 2 attempts login into DC2 – unsuccessfully
  • Computer 2 attempts login into DC2 – unsuccessfully
  • Computer 2 attempts login into DC2 – unsuccessfully

Is this account now locked?

Note: Computer 2 was added for clarity. The same situation could occur in times of network distress with one computer.

Best Answer

Yes, the account will be locked out.

As documented in the Advanced Replication Management documentation:

Account lockout is a security feature that sets a limit on the number of failed authentication attempts that are allowed before the account is "locked out" from a further attempt to log on, in addition to a time limit for how long the lockout is in effect.
In Windows 2000, account lockout is urgently replicated to the primary domain controller (PDC) emulator role owner and is then urgently replicated to the following:

  1. Domain controllers in the same domain that are located in the same site as the PDC emulator.

  2. Domain controllers in the same domain that are located in the same site as the domain controller that handled the account lockout.

  3. Domain controllers in the same domain that are located in sites that have been configured to allow change notification between sites (and, therefore, urgent replication) with the site that contains the PDC emulator or with the site where the account lockout was handled. These sites include any site that is included in the same site link as the site that contains the PDC emulator or in the same site link as the site that contains the domain controller that handled the account lockout.

In addition, when authentication fails at a domain controller other than the PDC emulator, the authentication is retried at the PDC emulator. For this reason, the PDC emulator locks the account before the domain controller that handled the failed-password attempt if the bad-password-attempt threshold is reached.

So to summarize, as bad password attempts are prioritized and every bad password attempt is also retried at the PDC emulator, your account will be locked out by any properly replicating domain controller.

There are however a few exceptions that might allow you more than your allotted amount of logins:

  1. Mixed Environments with Windows NT Server 4.0 and Active Directory Domain Controllers
  2. Inputting a recent password does not increase the bad password count
Related Topic