If an account lockout policy is applied to a domain, and an account is present both in the domain and in the local SAM of a client of this domain with a different password, it will be locked out if a user logs on to the local account of the client and tries to connect to a share of a server member of the domain via the "Run" command from the "Start" menu of the explorer. This can also happen is the client is a member of another domain that has the same account with a different password and the user is logged on to that account. The number of connection requests before prompting the user depends on the OS of the client: - Windows NT4 SP6a client send 4 authentication requests. - Windows 2000 SP4 client send 9 authentication requests. - Windows XP SP1 client send 13 authentication requests. Each authentication request is done with the local credentials (the local username with its local password) which doesn't match the credentials of the domain. As a consequence, each connection request increments the bad password count of the domain account. If the lockout threshold of the policy is smaller than the number of attempts listed below, the account will be locked out before the user is prompted to enter the credentials. As a result, the user will never be prompted for entering credentials. Instead, he will get a message saying the account is locked out. To avoid the account to be locked out, either adapt the account lockout threshold of the policy accordingly to the number of connection requests of the clients shown above, or force the users to connect to the share via the "Map Network Drive" of the "Tools" menu of the explorer or via the "Net use" command at a command prompt. This can be achieved by applying a policy to the domain that disables the "Run" command from the "Start" menu of the explorer. More information: The reason for the high number of authentication requests is that the Explorer tries to get information from the server prior to establish the connection to the share. For example, the Windows XP Explorer connects to the server as soon as the user as entered the last backslash of the server name to get its shared resources and display them underneath the "Open" command.
Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.