yes, a blast from the past for Friday... Have an NT4 domain where BDC won't authenticate accounts sometimes because they are locked out. User Manager does not show account as locked, but the net user command does. Account is OK on PDC, and changing something on the account replicates to the BDC and clears the lockout flag. Forcing a full replication from Server Manager doesn't fix the problem AFAIK. Problem is intermittent, and I think only when an account happens to authenticate against the BDC.
I was reading this KB article http://support.microsoft.com/kb/305144 which lists flags for the UserAccountControl property, but my output from nltest is showing 0x10 for accounts that can login (including a new test account I just created), which looks like it should be a LOCKED status from what I'm reading. I know some flags are Win2000+ only, but I'd imagine this flag would have to be the same for all versions for compatibility and the UAC flag should be something like 0x200 rather than 0x10. Any clues appreciated. I think we'll probably end up building a new BDC, but would like to solve the mystery if possible. Both are VMs under ESX, and are the only two DCs in the domain. Don't see any WINS errors or anything else notable in the event logs. btw, yes I know NT4 isn't supported, patched, or loved any more... not my call. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
