Score:0

bad password count in different sites

ke flag

What happens if a user try wrong password in different DC (sites), how come the lockout occurs after meeting threshold bad pwd count?

Account lockout threshold value is 3

for eg i have 3 sites - Site A,B,C

if a user enter wrong password in site A and then same user try to login with wrong credentials in site B and then same as site C. now the account will be lockedout and how?

HBruijn avatar
in flag
There are several nuances and not all incorrect passwords are treated equally with regards to updating `badPwdCount` and `badPasswordTime` and their (immediate) effect for account lockout - See: https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx and when monitoring effects: The attributes `logonCount`, `badPwdCount`, and `badPasswordTime` are not replicated, so each domain controller maintains its own values for each user
Sandy Santhosh avatar
ke flag
@HBruijn Thank you for answering. can you please tell why some attributes are non replicated?
HBruijn avatar
in flag
I have no idea why certain design decisions were made by the AD design team at Microsoft HQ. As an end-user that is just the way things are
Sandy Santhosh avatar
ke flag
@HBruijn ok . i have one doubt - PDC master is responsible for common badPwdCount attribute . if PDC master is in one site and badPwdCount is 2 , lockoutthreshold value is 3. now user logged in another site as wrong credentials. will the account lockedout?
Score:3
cz flag

The default is for a bad password detected on a local DC to be submitted to the PDCe to check for recent password changes. The PDCe keeps track and locks out the account when the threshold is achieved. You can configure AD not to forward over a WAN.

The reason they are forwarded to the PDCe is that password changes are also forwarded immediately (using urgent replication) to the PDCe so if your password change happens against one DC and you immediately try to authenticate against another, you aren't denied access. Again, you can configure AD not to do this.

See the article Password change processing and conflict resolution functionality in Windows for more information.

LeeM avatar
cn flag
This is all great info, but I'd definitely discourage anyone from messing with the default configuration. Bad password attempts get forwarded to the PDCE from all DCs. Once the lockout threshold counter is breached at the PDCE, the account is locked and all DCs notified via urgent replication. If someone is trying to attack AD, switching to a different DC should make no difference - it's all the same domain (that's the logic, at least). And it's well-known behaviour, easy to track. If it's a nuisance, reducing the lockout interval often helps while protecting against dictionary-type attacks.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.