0

What happens if a user try wrong password in different DC (sites), how come the lockout occurs after meeting threshold bad pwd count?

Account lockout threshold value is 3

for eg i have 3 sites - Site A,B,C

if a user enter wrong password in site A and then same user try to login with wrong credentials in site B and then same as site C. now the account will be lockedout and how?

Sandy Santhosh
  • 23
  • 2
  • There are several nuances and not all incorrect passwords are treated equally with regards to updating `badPwdCount` and `badPasswordTime` and their (immediate) effect for account lockout - See: https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx and when monitoring effects: The attributes `logonCount`, `badPwdCount`, and `badPasswordTime` are not replicated, so each domain controller maintains its own values for each user – HBruijn May 16 '23 at 14:54
  • @HBruijn Thank you for answering. can you please tell why some attributes are non replicated? – Sandy Santhosh May 17 '23 at 10:34
  • I have no idea why certain design decisions were made by the AD design team at Microsoft HQ. As an end-user that is just the way things are – HBruijn May 17 '23 at 18:53
  • @HBruijn ok . i have one doubt - PDC master is responsible for common badPwdCount attribute . if PDC master is in one site and badPwdCount is 2 , lockoutthreshold value is 3. now user logged in another site as wrong credentials. will the account lockedout? – Sandy Santhosh May 18 '23 at 09:45

1 Answers1

3

The default is for a bad password detected on a local DC to be submitted to the PDCe to check for recent password changes. The PDCe keeps track and locks out the account when the threshold is achieved. You can configure AD not to forward over a WAN.

The reason they are forwarded to the PDCe is that password changes are also forwarded immediately (using urgent replication) to the PDCe so if your password change happens against one DC and you immediately try to authenticate against another, you aren't denied access. Again, you can configure AD not to do this.

See the article Password change processing and conflict resolution functionality in Windows for more information.

ssg31415926
  • 46
  • 3
  • This is all great info, but I'd definitely discourage anyone from messing with the default configuration. Bad password attempts get forwarded to the PDCE from all DCs. Once the lockout threshold counter is breached at the PDCE, the account is locked and all DCs notified via urgent replication. If someone is trying to attack AD, switching to a different DC should make no difference - it's all the same domain (that's the logic, at least). And it's well-known behaviour, easy to track. If it's a nuisance, reducing the lockout interval often helps while protecting against dictionary-type attacks. – LeeM Jun 07 '23 at 22:57