This content has been marked as final. Show 2 replies
For AD, you should probably be trying to change the lockoutTime attribute, not badPwdCount.
You may find this link, from Microsoft, useful: [Account Lockout and Password Concepts|http://technet.microsoft.com/en-us/library/cc780271%28WS.10%29.aspx]
The section “How Domain Controllers Verify Passwords” is particularly relevant to this discussion, although this link didn’t give all the answers. Here's what I also know:
1. badPwdCount is an “operational attribute”, which means it’s an internally-controlled attribute that you can’t change.
2. badPwdCount is not replicated among domain controllers. However, the PDC emulator aggregates all bad password attempts into increases in its own local badPwdCount attribute.
3. Even if the account is not locked out, setting the lockoutTime attribute to 0 resets the badPwdCount to 0 as well. This happens automatically.
4. Best of all, this resetting of the badPwdCount to 0 on any domain controller gets immediately replicated to the PDC emulator domain controller.
Thus, if an account lockout is cleared on any domain controller (via setting the lockoutTime attribute to 0), that is also automatically translated into resetting the badPwdCount to 0 – and both of these changes happen on both the local domain controller and the PDC emulator immediately.