I have a situation, or perhaps my understanding of BadPwdCount is wrong... I understand that BadPwdCount is not replicated, however the PDCe role holder acts a kind of a high watermark for this attribute, is that correct?

My situation is that BadPwdCount on the PDCe is not resetting back to 0 after a successful logon. 

Here's my test:

Three DC's (DC1pdce, DC2, and DC3) and one Win7 workstation. I use LDP.EXE and simple bind to target DC2 to do a failed logon three times for a test user WST93. Then using Lockoutstatus I can see the BadPwd count on DC2 and DC1pdce is 3. I then do an interactive logon from Win7. dir ENV:logonserver shows DC3. LockoutStatus shows BadPwdCount:

DC1pdce - 3

DC2 - 3

DC3 - 0

Shouldn't DC1, the PDCe get reset to 0 as well?

Geoff

Hi. This question has been asked and answered before. Here is a previous discussion.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/8c5d3228-f220-499b-b26e-32e72e08c148/badpwdcount-reset-after-a-successful-logon?forum=winserverDS

I did see this and I don't think it answers my question.

The thread says:

"Yes, PDC will reset the BadPwdCount. You could use lockoutStatus tool to check it.

If there are more inquiries on this issue, please feel free to let us know"

That's what I expected to happen, but is not happening. I repeat a successful logon DOES NOT reset the value on the PDCe

Geoff 

Hi,

Are you using RODC in your domain? Is your PDC emulator a Windows Server 2008/2008 R2 machine?

If yes, then the badPwdCount attribute is not reset to 0 because the Security Accounts Manager (SAM) server does not support badPwdCount attribute requests that come from an RODC.

Here is a KB article with a hotfix below:

The badPwdCount attribute is not reset to 0 on a Windows Server 2008 R2-based or Windows Server 2008-based PDC when the reset request is sent from an RODC

http://support.microsoft.com/kb/2641192

I hope this helps.

Best Regards,

Amy Wang