Bad password count is incremented when Lync 2013 VDI plug-in pairs with a Lync 2013 client

View products that this article applies to.

Symptoms

Consider the following scenario:

You deploy a Microsoft Lync Server 2013 environment.
You enable Virtual Desktop Infrastructure (VDI) for all the users in the environment by running the following command:
```
Set-CsClientPolicy -Identity Global -EnableMediaRedirection $true 
```
You install the Lync 2013 VDI plug-in on a local computer.
You install Lync 2013 on a Remote Desktop Session Host server that joins the same domain as the local computer.
You create a user account in Active Directory Domain Services (AD DS) and enables the user for Lync 2013.
The user logs on to the local computer and to the Remote Desktop Session Host server by using the same account.
The user connects to the Remote Desktop Session Host server from the local computer, and then starts Lync 2013 in the Remote Desktop session.
The Lync 2013 VDI plug-in begins to pair with the Lync 2013 client.

In this scenario, you might encounter the following issues:

The value of the badPwdAttempt attribute in AD DS is incremented by 1.
The badPwdTime attribute contains a time stamp for the VDI pairing.
You receive event ID 4771 that states one authentication attempt fails in the domain controller (DC) security audit trail.

Additionally, the user account might be locked.

↑ Back to the top

Workaround

To work around this issue, you must increase the value of the account lockout threshold and reduce the size of the lockout observation window. For example, you can set the value of the account lockout threshold to 20 and set the size of the lockout observation window to 30 minutes.

↑ Back to the top