bad password count in different sites

Sandy Santhosh

5/16/24, 1:54 PM

What happens if a user try wrong password in different DC (sites), how come the lockout occurs after meeting threshold bad pwd count?

Account lockout threshold value is 3

for eg i have 3 sites - Site A,B,C

if a user enter wrong password in site A and then same user try to login with wrong credentials in site B and then same as site C. now the account will be lockedout and how?

180

1 + 4

active-directory

group-policy

domain-controller

password-reset

password-policy

HBruijn

5/16/24, 2:54 PM

There are several nuances and not all incorrect passwords are treated equally with regards to updating `badPwdCount` and `badPasswordTime` and their (immediate) effect for account lockout - See: https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx and when monitoring effects: The attributes `logonCount`, `badPwdCount`, and `badPasswordTime` are not replicated, so each domain controller maintains its own values for each user

Sandy Santhosh

5/17/24, 10:34 AM

@HBruijn Thank you for answering. can you please tell why some attributes are non replicated?

HBruijn

5/17/24, 6:53 PM

I have no idea why certain design decisions were made by the AD design team at Microsoft HQ. As an end-user that is just the way things are

Sandy Santhosh

5/18/24, 9:45 AM

@HBruijn ok . i have one doubt - PDC master is responsible for common badPwdCount attribute . if PDC master is in one site and badPwdCount is 2 , lockoutthreshold value is 3. now user logged in another site as wrong credentials. will the account lockedout?

Score:3

Server

ssg31415926

6/7/24, 3:09 PM

The default is for a bad password detected on a local DC to be submitted to the PDCe to check for recent password changes. The PDCe keeps track and locks out the account when the threshold is achieved. You can configure AD not to forward over a WAN.

The reason they are forwarded to the PDCe is that password changes are also forwarded immediately (using urgent replication) to the PDCe so if your password change happens against one DC and you immediately try to authenticate against another, you aren't denied access. Again, you can configure AD not to do this.

See the article Password change processing and conflict resolution functionality in Windows for more information.

+ 1

LeeM

6/7/24, 10:57 PM

This is all great info, but I'd definitely discourage anyone from messing with the default configuration. Bad password attempts get forwarded to the PDCE from all DCs. Once the lockout threshold counter is breached at the PDCE, the account is locked and all DCs notified via urgent replication. If someone is trying to attack AD, switching to a different DC should make no difference - it's all the same domain (that's the logic, at least). And it's well-known behaviour, easy to track. If it's a nuisance, reducing the lockout interval often helps while protecting against dictionary-type attacks.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: bad password count in different sites

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.