Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Trying to connect to a share via the "Run" command of the Explorer can lead to an account lockout.


View products that this article applies to.

If an account lockout policy is applied to a domain, and an account is present both in the domain 
and in the local SAM of a client of this domain with a different password, it will be locked out if a user logs on to the local account of the client 
and tries to connect to a share of a server member of the domain via the "Run" command from the "Start" menu of the explorer. 

This can also happen is the client is a member of another domain that has the same account with a different password and the user is logged 
on to that account.

The number of connection requests before prompting the user depends on the OS of the client:
- Windows NT4 SP6a client send 4 authentication requests.
- Windows 2000 SP4 client send 9 authentication requests.
- Windows XP SP1 client send 13 authentication requests.
 
Each authentication request is done with the local credentials (the local username with its local password) which doesn't match the credentials 
of the domain. As a consequence, each connection request increments the bad password count of the domain account. If the lockout
threshold of the policy is smaller than the number of attempts listed below, the account will be locked out before the user is prompted to enter the 
credentials. As a result, the user will never be prompted for entering credentials. Instead, he will get a message saying the account is locked out.
 
To avoid the account to be locked out, either adapt the account lockout threshold of the policy accordingly to the number of connection requests 
of the clients shown above, or force the users to connect to the share via the "Map Network Drive" of the "Tools" menu of the explorer or 
via the "Net use" command at a command prompt. 
This can be achieved by applying a policy to the domain that disables the "Run" command from the "Start" menu of the explorer.
 

More information:

The reason for the high number of authentication requests is that the Explorer tries to get information from the server prior to establish 
the connection to the share. For example, the Windows XP Explorer connects to the server as soon as the user as entered the last backslash 
of the server name to get its shared resources and display them underneath the "Open" command.

↑ Back to the top


Keywords: KB841075

↑ Back to the top

Article Info
Article ID : 841075
Revision : 3
Created on : 2/6/2007
Published on : 2/6/2007
Exists online : False
Views : 486