Thanks Charles, I have been using that. All of this stems from something I’m seeing in our environment that doesn’t seem to jive with what I have read and my understanding of the whole process. That’s why I’m trying to get clarification on this.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Charles F Sullivan Sent: Tuesday, May 17, 2016 11:12 AM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] badPwdCount clarification See if you can find and download lockoutstatus.exe, which is an old Resource Kit utility. It runs even on Windows 10. You may be able get answers for your test scenarios easily from this because it brings the bad PW count, etc. from all DCs to one interface. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of Christopher Bodnar Sent: Tuesday, May 17, 2016 10:21 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] badPwdCount clarification Hey Michael, this is great, thank you. One thing I still don’t get. According to this: “The final logon attempt in the table succeeds because the lockoutDuration has expired. At this point, badPwdCount resets to zero on all DC's” What happens for a good password attempt before account lockout? Does it reset the badPwdCount on all DC’s? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Monday, May 16, 2016 4:54 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] badPwdCount clarification I believe this wiki article breaks it down granularly enough to answer your questions: http://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx -- Espi On Mon, May 16, 2016 at 12:04 PM, Christopher Bodnar <christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>> wrote: Can someone clarify this for me, a little confused on this. Let’s say I have 4 domain controllers (all 2008 R2) in a single site (PDCE1, DC2, DC3, DC4). And let’s say account lockout is set to 5, and there are no RODCs in the environment. Here are the various badPwdCount values on the domain controllers for a test account: PDCe1=1 DC2=2 DC3=1 DC4=1 If the test account enters another bad password, the logon sever that services the request (say DC2) will increment by 1, as well as the PDCe1. So the new values will be: PDCe1=2 DC2=3 DC3=1 DC4=1 Is this correct so far? And if so, at the next attempt the account enters a valid password, again to DC2, the new values will be: PDCe1=0 DC2=0 DC3=0 DC4=0 Or will they be: PDCe1=0 DC2=0 DC3=1 DC4=1 So should the value get reset on all domain controllers, or just the PDCE and the DC servicing the request? Thank you, Christopher Bodnar Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459<tel:610-807-6459> 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com<mailto:christopher_bod...@glic.com> [cid:image001.png@01D1326B.600058E0] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
