Are my failed password attempts to different domain controllers cumulative?
Solution 1:
Yes, the account will be locked out.
As documented in the Advanced Replication Management documentation:
Account lockout is a security feature that sets a limit on the number of failed authentication attempts that are allowed before the account is "locked out" from a further attempt to log on, in addition to a time limit for how long the lockout is in effect.
In Windows 2000, account lockout is urgently replicated to the primary domain controller (PDC) emulator role owner and is then urgently replicated to the following:
Domain controllers in the same domain that are located in the same site as the PDC emulator.
Domain controllers in the same domain that are located in the same site as the domain controller that handled the account lockout.
- Domain controllers in the same domain that are located in sites that have been configured to allow change notification between sites (and, therefore, urgent replication) with the site that contains the PDC emulator or with the site where the account lockout was handled. These sites include any site that is included in the same site link as the site that contains the PDC emulator or in the same site link as the site that contains the domain controller that handled the account lockout.
In addition, when authentication fails at a domain controller other than the PDC emulator, the authentication is retried at the PDC emulator. For this reason, the PDC emulator locks the account before the domain controller that handled the failed-password attempt if the bad-password-attempt threshold is reached.
So to summarize, as bad password attempts are prioritized and every bad password attempt is also retried at the PDC emulator, your account will be locked out by any properly replicating domain controller.
There are however a few exceptions that might allow you more than your allotted amount of logins:
- Mixed Environments with Windows NT Server 4.0 and Active Directory Domain Controllers
- Inputting a recent password does not increase the bad password count
Solution 2:
It is theoretically possible for a user to exceed the maximum number of login attempts defined by policy. (Especially by using password change attempts.)
For instance, say your lockout policy is 5 bad login attempts.
A user could attempt 4 logins against DC1,
then they could attempt 4 logins against DC2,
and still not get locked out after the first bad login attempt against DC2.
From https://technet.microsoft.com/en-us/library/Cc772726(v=WS.10).aspx, which is essential reading for all AD admins:
When a bad password is used in an attempt to change a password, the lockout count is incremented on that domain controller only and is not replicated. As such, an attacker could try (# of domain controllers)*(lockout threshold -1) + 1 guesses before the account is locked out. Although this scenario has a relatively small impact on account lockout security, domains with an exceptionally high number of domain controllers represent a significant increase in the total number of guesses available to an attacker. Because a user cannot specify the domain controller on which the password change is attempted, an attack of this type requires an advanced tool.
Also this:
In addition, when authentication fails at a domain controller other than the PDC emulator, the authentication is retried at the PDC emulator. For this reason, the PDC emulator locks the account before the domain controller that handled the failed-password attempt if the bad-password-attempt threshold is reached.
So normally, you will not see a regular every day user exceeding the lockout threshold, but it is possible to exceed the defined lockout threshold with an automated tool that's fast and can outpace AD replication.
Key takeaway here is that urgent replication doesn't mean instantaneous replication.