JSI Tip 6606. Users experience account lockouts with fewer incorrect authentication attempts than the domain's Account Lockout policy indicates?

If your domain contains Windows 2000 domain controllers and Windows 2000 servers and/or clients, users are charged twice for each incorrect authentication attempt.

Windows 2000 first uses the Kerberos authentication method. If that does not succeed, Windows 2000 tries the Windows NT challenge/response (NTLM) authentication protocol. When the user specifies an incorrect password, they are charged twice for the one authentication attempt.

NOTE: You can inspect the NetLogon.log file and see the NTLM attempts. To also track the Kerberos attempts, see How can I enable Kerberos event logging?

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.