Service packs and hotfixes that are available to resolve account lockout issues (817701)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows XP Professional
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 95
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition

IN THIS TASK

SUMMARY

This article describes the latest hotfix updates or service packs that are available as of June 2003, to resolve account-lockout issues that you may experience when you use the Microsoft operating systems that are listed in the "Applies to" section of this article. This article is intended to help you to troubleshoot account-lockout issues and lists the latest hotfixes or service packs that are available for each operating system.

back to the top

Windows Server 2003

Install the latest service pack on all Windows Server 2003 domain controllers, servers, and client computers.

Hotfix 826133 is a client-side hotfix that you can apply to a Windows Server 2003-based computer on the network. For more information about this hotfix, click the following article number to view the article in the Microsoft Knowledge Base:

826133 User of a disabled account is prompted to change the password before the "Account has been disabled" message appears

back to the top

Windows XP

Install the latest service pack on all Windows XP-based client computers.

back to the top

Windows 2000

Install the latest service pack on all Windows 2000 domain controllers, servers, and client computers. On domain controllers that are running Windows 2000 Service Pack 3 (SP3), you must install the update that is described in the following Microsoft Knowledge Base article to obtain the benefits described in the "Windows 2000-Based Domain Controllers" section of this article:

812499 You cannot change your password after an administrator resets it

This hotfix is included in Windows 2000 Service Pack 4 (SP4). For more information about the problems that are fixed in Windows 2000 SP4, click the following article number to view the article in the Microsoft Knowledge Base:

327194 List of bugs that are fixed in Windows 2000 Service Pack 4

When you apply the latest service pack to your domain controllers and other computers involved in the account-lockout process, you remove the chance of incorrectly incrementing and resetting a bad password count over the Kerberos or NT LAN Manager (NTLM) authentication feature. Many of the account-lockout issues that you may experience are resolved in Windows 2000 SP3 and Windows 2000 SP4 and include the issues that are described in the following Microsoft Knowledge Base articles:

264678 Increased account lockout frequency in a Windows 2000 domain

287639 Client cannot log on even if the account is unlocked on the primary domain controller

278299 Locked-out account that is reset at a different domain controller may be locked out

292573 ADSI SetPassword call does not always set the password on the target domain controller

263821 Account lockout because bad password count field (BadPwdCount) is not reset to 0

294811 You receive a password expiration message after you change your password

306133 Account unlocks and manual password expirations are not replicated urgently

303290 Drive mapping for the home folder may overwrite the local drive mapping after you apply Windows 2000 SP2

back to the top

Windows 2000-Based Domain Controllers

Install Windows 2000 SP4 or Windows 2000 SP3 together with the following:
  • The post-SP3 regression fixes that are described in the following Knowledge Base article:

    331161 Hotfixes to install before you run adprep /Forestprep on a Windows 2000 domain controller to prepare the Forest and domains for the addition of Windows Server 2003-based domain controllers

  • The post-SP3 account-lockout enhancements that are described in the following Knowledge Base article:

    812499 You cannot change your password after an administrator resets it

Important To gain the benefit of the hotfix that is described in Knowledge Base article 812499, you must configure the password history setting in your domain group policy with a minimum value of 3. For additional information about how to configure account passwords and policies, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Microsoft recommends that you install the Windows 2000 post-SP3 account-lockout enhancements if the domain controllers that are running Windows 2000 SP3 are in the same domain as the domain controllers that are running Windows Server 2003 and if account lockout policies are enabled. Microsoft recommends that you install the latest service pack that is available for Windows 2000.

back to the top

Windows 2000-Based Client Computers

Install Windows 2000 SP4 on all Windows 2000-based client computers.

back to the top

Windows NT 4.0

Install Windows NT 4.0 Service Pack 6a (SP6a) on all Windows NT 4.0-based computers. Also, on any client computers, install the hotfix that is described in the "Windows NT 4.0" section of the following Microsoft Knowledge Base article:

275508 SMB session credentials are not updated after password change resulting in account lockout

back to the top

Windows 98 and Windows 95

Install the latest Directory Services (DS) client update on all Windows 98-based and Windows 95-based client computers. For more information about how to update the directory services client, click the following article number to view the article in the Microsoft Knowledge Base:

323455 Directory Services Client Update for Windows 98

If you do not want to install this directory services update on your Windows 98-based and Windows 95-based client computers, you can install the original directory services client, and then update the client computers with the updates that are described in the following Knowledge Base articles:

266772 Client cannot log on if unicode string is passed to NTLM security support provider interface

271496 One unsuccessful logon attempt may trigger the default Windows NT lockout policy

293793 Exception 0E in Vredir error messages when you open network files

back to the top

REFERENCES

For more information about how to obtain Windows service packs, click the following article numbers to view the articles in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

889100 How to obtain the latest service pack for Windows Server 2003

322389 How to obtain the latest Windows XP service pack

152734 How to obtain the latest Windows NT 4.0 service pack

back to the top
Modification Type:MajorLast Reviewed:12/28/2005
Keywords:kbinfo KB817701
©2004 Microsoft Corporation. All rights reserved.