Thanks, I think what confused me was this: https://support.microsoft.com/en-us/kb/297157
“After domain synchronization happens, BadPasswordCount on BDC is equal to the number on PDC, which will be 0x0.” Yes, I know it’s referring to NT 4 ☹ ……. But it was the first thing I looked at, so it stuck with me. Couldn’t find anything else that specifically said that the PDC wouldn’t replicate out, which this did say. Thanks From: [email protected] [mailto:[email protected]] On Behalf Of Todd Lemmiksoo Sent: Thursday, January 07, 2016 4:07 PM To: [email protected] Subject: Re: [NTSysADM] badPwdCount question Yes, that is correct. Each DC will have its own count. On Thu, Jan 7, 2016 at 3:02 PM, Christopher Bodnar <[email protected]<mailto:[email protected]>> wrote: Just trying to get some clarification on this, as we are troubleshooting some account lockout issues. Just to preface, I have read through al l the MS documentation on this, including the following: http://windowsitpro.com/windows/understanding-windows-account-lockout-security-feature https://technet.microsoft.com/en-us/library/cc775412(v=ws.10).aspx According to all the documentation it staes that the badPwdCount attribute is NOT replicated. My assumption is that this includes the PDC, that the PDC does not replicate this out to the other domain controllers in the forest. Is that correct. So for example if DC2 (not the PDCe) has a badPwdCount of (3) it will stay at that number until it gets a good password. The PDCe value won’t replicate it out. Is that correct? Thanks Chris ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. -- T. Todd Lemmiksoo ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
