implementing password lockout

Richard Renard rrenard at
Tue Jan 27 22:37:41 GMT 2004


I made the same kind of tests you did, with rpcclient connected by
IP number on PDC and BDC.

> 1. Made sure bad password count was zero on PDC and BDC (via rpcclient
> queryuserinfo)
> 2. Made sure user's comments were same on PDC and BDC
> 3. Entered a bad password on PDC, saw that count was 1 on PDC, 0 on BDC.
> 4. Changed user comment on PDC.
> 5. Requested a replication via server manager and waited for traffic to
> occur.
> 6. Checked both bad password count and user comment.  Change was replicated
> for the user comment, but _not_ for the bad password count.

bad password count is 0 on PDC and BDC, no user's comment set
1. entered a bad password on PDC
2. forced replication, 1 on PDC, 0 on BDC
3. reentered a bad password on PDC
4. forced replication, 2 on PDC, 0 on BDC
5. changed user's comment on PDC
6. forced replication, 2 on PDC, 2 on BDC

Well, it seems that the modification on the bad password count is not
considered by NT as a modification of the SAM. It is only when the field
reaches the bad password count defined in account policy that there is a
modification of the SAM.

So I suppose that when user_badpwdcount == acct-pol_bad_pwdcount the
ACCOUNT_LOCKED_OUT flag is set and then the replication occurs.
( as a new locked-out account immediatly toggles the replication
process, see;en-us;154502 )


Richard Renard
rrenard at

More information about the samba-technical mailing list