This articles discusses how the bad password count attribute
(
BadPwdCount) works in Microsoft Windows 2000 and in Microsoft Windows Server
2003. When you submit incorrect credentials to the Active Directory directory
service, the value of the
BadPwdCount attribute of that user object increases. This attribute is used
to determine whether a user account will be locked out based on the password
lockout policy.
In Windows 2000 and in Windows Server 2003, the value
of the
BadPwdCount attribute should increase one time when the following conditions
are true:
- You use either the user principal name (UPN) or the
Security Accounts Manager (SAM) account name (sAMAccountName) to log on to a
computer.
- You use the "Domain\UserId" format and Active Directory
Service Interfaces (ADSI) functions to bind your incorrect credentials to
Active Directory. For example, you use the IADsOpenDsObject::OpenDsObject method or the ADsOpenObject function.
In Windows 2000, the
BadPwdCount attribute increases two times when the following conditions are
true:
- You use either the UPN or the sAMAccountName to log on to a
computer.
- You use the UPN and ADSI functions to bind your incorrect
credentials to Active Directory. For example, you use the IADsOpenDsObject::OpenDsObject method or the ADsOpenObject function.
However, in Windows Server 2003, the
BadPwdCount attribute increases only one time when you use the
UPN to bind your incorrect credentials to Active Directory.