DOCUMENT:Q182918
TITLE   :Account Lockout Event also Stored in Security Event Log on DC
PRODUCT :Microsoft Windows NT
PROD/VER:4.00
OPER/SYS:WINDOWS
KEYWORDS:kbbug4.00 kbfix4.00 kbfile ntsecurity
--------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Server version 4.0
 - Microsoft Windows NT Server, Enterprise Edition version 4.0
 - Microsoft BackOffice Small Business Server version 4.0
--------------------------------------------------------------------------

SYMPTOMS
========

When users enter a series of incorrect passwords in an attempt to log on to
Windows NT using domain accounts and the Bad Logon Attempts limit for the
account is reached, the account is locked out at the domain controller.

Windows NT generates an account lockout event (Event ID: 539) on the
workstation where the failed logon attempts occurred if the audit policy on
that workstation enables auditing of failed logon/logoff events. However,
no event is logged at the domain controller. Administrators must search the
event logs of all client systems to locate the computer where the bad
password attempts originated.

MORE INFORMATION
================

Microsoft provides a hotfix to change this behavior. After the hotfix is
applied on all domain controllers, bad logon attempts that cause a user's
account to be locked out generate an audit event in the security event log
on the domain controller that handles the logon request. A new security
event (Event ID: 644 - User Account Locked Out) is generated at the primary
domain controller to indicate the user account was automatically locked out
because of bad logon attempts. The security event is generated if the audit
policy for the domain enables Success for the User and Group Management
audit category.

If the client workstation is a computer running Windows NT or Windows 95,
the account lockout event includes the client workstation name to identify
the computer where the bad passwords are entered.

RESOLUTION
==========

To enable this feature, contact Microsoft Technical Support to obtain the
following fix, or wait for the next Windows NT service pack.

NOTE: Because this hotfix makes a modification to the on-disk storage of
the LSA data information, Microsoft does not recommend that it be
uninstalled.

This fix should have the following time stamp:

   04/22/98  06:05p                51,472 Eventlog.dll (Intel)
   04/27/98  12:48p               154,896 Lsasrv.dll   (Intel)
   04/25/98  07:45p                18,704 Msaudite.dll (Intel)
   05/08/98  07:42p                40,208 Msv1_0.dll   (Intel)
   05/08/98  07:42p                41,744 Samlib.dll   (Intel)
   05/08/98  07:42p               169,232 Samsrv.dll   (Intel)
   04/27/98  12:48p               130,832 Services.exe (Intel)

   02/04/98  02:20p                84,240 Eventlog.dll (Alpha)
   04/15/98  12:37p               253,200 Lsasrv.dll   (Alpha)
   04/02/98  06:24p                22,800 Msaudite.dll (Alpha)
   05/08/98  07:42p                67,344 Msv1_0.dll   (Alpha)
   05/08/98  07:42p                78,608 Samlib.dll   (Alpha)
   05/08/98  07:42p               288,528 Samsrv.dll   (Alpha)
   04/24/98  05:55p               241,936 Services.exe (Alpha)

NOTE: This hotfix supersedes the fix referred to in the following
articles in the Microsoft Knowledge Base:

   ARTICLE-ID: Q154087
   TITLE     : Access Violation in LSASS.EXE Due to Incorrect Buffer Size

   ARTICLE-ID: Q174205
   TITLE     : LSASS May Use a Large Amount of Memory on a Domain
               Controller

   ARTICLE-ID: Q129457
   TITLE     : Anonymous Connections May Be Able to Obtain the Password
               Policy

This hotfix has been posted to the following Internet location:

NOTE: An updated version of this hotfix was posted on May 19, 1998.

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
   hotfixes-postSP3/lsa2-fix/

NOTE: The above link is one path; it has been wrapped for readability.

STATUS
======

Microsoft has released a fully supported hotfix that provides additional
protection of sensitive system information stored as LSA secrets. This 
hotfix has not been fully regression tested and should only be applied
to systems determined to be at risk of attack. Please evaluate your
system's physical accessibility, network and Internet connectivity, and
other factors to determine the degree of risk to your system. If your
system is sufficiently at risk, Microsoft recommends you apply this fix.
Otherwise, wait for the next Windows NT service pack, which will contain
this fix. Please contact Microsoft Technical Support for more information.

Additional query words: 4.00 bad password lockout after
============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.