Sure it is. It’s specifically stated in the second document you mentioned:
badPwdCount The badPwdCount value stores the number of times that the user, computer, or service account tried to log on to the account by using an incorrect password. This value is maintained separately on each domain controller in the domain, except for the PDC operations master of the accounts domain that maintains the total number of incorrect password attempts. A value of 0 indicates that the value is unknown. For an accurate total of the user's incorrect password attempts in the domain, you must query each domain controller and use the sum of the values. For more information, see the "LockoutStatus.exe" section in this document. The badPwdCount registry value is not replicated between domain controllers. This registry value, however, is reported to the PDC operations master. From: [email protected] [mailto:[email protected]] On Behalf Of Christopher Bodnar Sent: Thursday, January 7, 2016 4:18 PM To: [email protected] Subject: RE: [NTSysADM] badPwdCount question Thanks, I think what confused me was this: https://support.microsoft.com/en-us/kb/297157 “After domain synchronization happens, BadPasswordCount on BDC is equal to the number on PDC, which will be 0x0.” Yes, I know it’s referring to NT 4 ☹ ……. But it was the first thing I looked at, so it stuck with me. Couldn’t find anything else that specifically said that the PDC wouldn’t replicate out, which this did say. Thanks From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Todd Lemmiksoo Sent: Thursday, January 07, 2016 4:07 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] badPwdCount question Yes, that is correct. Each DC will have its own count. On Thu, Jan 7, 2016 at 3:02 PM, Christopher Bodnar <[email protected]<mailto:[email protected]>> wrote: Just trying to get some clarification on this, as we are troubleshooting some account lockout issues. Just to preface, I have read through al l the MS documentation on this, including the following: http://windowsitpro.com/windows/understanding-windows-account-lockout-security-feature https://technet.microsoft.com/en-us/library/cc775412(v=ws.10).aspx According to all the documentation it staes that the badPwdCount attribute is NOT replicated. My assumption is that this includes the PDC, that the PDC does not replicate this out to the other domain controllers in the forest. Is that correct. So for example if DC2 (not the PDCe) has a badPwdCount of (3) it will stay at that number until it gets a good password. The PDCe value won’t replicate it out. Is that correct? Thanks Chris ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. -- T. Todd Lemmiksoo ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
