DOCUMENT:Q182918
TITLE   :Account Lockout Event also Stored in Security Event Log on DC
PRODUCT :Microsoft Windows NT
PROD/VER:4.00
OPER/SYS:WINDOWS
KEYWORDS:kbbug4.00 kbfix4.00 kbfile ntsecurity
--------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Server version 4.0
 - Microsoft Windows NT Server, Enterprise Edition version 4.0
 - Microsoft BackOffice Small Business Server version 4.0
--------------------------------------------------------------------------

SYMPTOMS
========

When users enter a series of incorrect passwords in an attempt to log on to
Windows NT using domain accounts and the Bad Logon Attempts limit for the
account is reached, the account is locked out at the domain controller.

Windows NT generates an account lockout event (Event ID: 539) on the
workstation where the failed logon attempts occurred if the audit policy on
that workstation enables auditing of failed logon/logoff events. However,
no event is logged at the domain controller. Administrators must search the
event logs of all client systems to locate the computer where the bad
password attempts originated.

MORE INFORMATION
================

Microsoft provides a hotfix to change this behavior. After the hotfix is
applied on all domain controllers, bad logon attempts that cause a user's
account to be locked out generate an audit event in the security event log
on the domain controller that handles the logon request. A new security
event (Event ID: 644 - User Account Locked Out) is generated at the primary
domain controller to indicate the user account was automatically locked out
because of bad logon attempts. The security event is generated if the audit
policy for the domain enables Success for the User and Group Management
audit category.

If the client workstation is a computer running Windows NT or Windows 95,
the account lockout event includes the client workstation name to identify
the computer where the bad passwords are entered.

RESOLUTION
==========

To enable this feature, contact Microsoft Technical Support to obtain the
following fix, or wait for the next Windows NT service pack.

Before You Apply the Hotfix:

Because this hotfix makes a modification to the on-disk storage of the LSA
data information, Microsoft does not recommend that it be uninstalled.
Perform the following steps to ease the transition back to a pre-LSA2-fix
configuration in case you experience problems with the hotfix:

1. Perform a Full System Backup.

2. Backup or make copies of all the files that will be updated by LSA2-fix.

3. Create an updated pre-LSA2-fix Emergency Repair Disk (ERD).

This fix should have the following time stamp:

   04/22/98  06:05p                51,472 Eventlog.dll (Intel)
   04/27/98  12:48p               154,896 Lsasrv.dll   (Intel)
   04/25/98  07:45p                18,704 Msaudite.dll (Intel)
   05/08/98  07:42p                40,208 Msv1_0.dll   (Intel)
   05/13/98  04:32p               425,744 Netcfg.dll   (Intel)
   06/22/98  08:25p                41,744 Samlib.dll   (Intel)
   05/08/98  07:42p               169,232 Samsrv.dll   (Intel)
   04/27/98  12:48p               130,832 Services.exe (Intel)
   06/22/98  09:04p               211,216 Srvmgr.exe   (Intel)
   06/22/98  08:25p                88,336 Xactsrv.dll  (Intel)

   02/04/98  02:20p                84,240 Eventlog.dll (Alpha)
   04/15/98  12:37p               253,200 Lsasrv.dll   (Alpha)
   04/02/98  06:24p                22,800 Msaudite.dll (Alpha)
   05/08/98  07:42p                67,344 Msv1_0.dll   (Alpha)
   05/13/98  04:33p               645,392 Netcfg.dll   (Alpha)
   06/22/98  08:25p                78,608 Samlib.dll   (Alpha)
   05/08/98  07:42p               288,528 Samsrv.dll   (Alpha)
   04/24/98  05:55p               241,936 Services.exe (Alpha)
   06/22/98  09:00p               305,936 Srvmgr.exe   (Alpha)
   06/22/98  08:25p               170,768 Xactsrv.dll  (Alpha)

NOTE: This hotfix supersedes the fix referred to in the following
articles in the Microsoft Knowledge Base:

   ARTICLE-ID: Q154087
   TITLE     : Access Violation in LSASS.EXE Due to Incorrect Buffer Size

   ARTICLE-ID: Q174205
   TITLE     : LSASS May Use a Large Amount of Memory on a Domain
               Controller

   ARTICLE-ID: Q129457
   TITLE     : Anonymous Connections May Be Able to Obtain the Password
               Policy

This hotfix has been posted to the following Internet location:

NOTE: An updated version of this hotfix was posted on July 20, 1998 and
provides an additional security level to systems running Windows NT 4.0
Service Pack 3.

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lsa2-fix/

MORE INFORMATION
================

If you experience problems with this hotfix, perform the following steps to
restore the system to its original configuration before applying the
hotfix:

1. Create a post-LSA2-fix ERD. This disk should only be necessary if the
   following steps fail.

2. Rename the current system files in the %Systemroot%\System32 folder that
   are being used by this hotfix.

3. Copy the original versions of these system files from
   \%Systemroot%\$NtUninstallQ184017$ to the %Systemroot%\System32 folder.

4. Use the pre-LSA2-fix ERD to start the computer and repair the Security
   hive.

5. Restart the computer to load the pre-LSA2-fix system files that can use
   the pre-LSA2-fix Security hive format.

STATUS
======

Microsoft has released a fully supported hotfix that provides additional
protection of sensitive system information stored as LSA secrets.

This hotfix has not been fully regression tested and should only be applied
to systems determined to be at risk of attack. Please evaluate your
system's physical accessibility, network and Internet connectivity, and
other factors to determine the degree of risk to your system. If your
system is sufficiently at risk, Microsoft recommends you apply this fix.
Otherwise, wait for the next Windows NT service pack, which will contain
this fix. Please contact Microsoft Technical Support for more information.

Additional query words: 4.00 bad password lockout after
============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.