3.3.5.3.2 Normative Specification

Upon receiving this message, the responder SHOULD<15> return STATUS_NOT_SUPPORTED if the responder is not the PDC. Otherwise, the responder SHOULD<16> process the message as shown below.

This message is processed as follows. If the requestor is an RODC that is not allowed to cache credentials for the target user account, as specified in [MS-DRSR] section 4.1.10.5.15, the responder MUST return STATUS_ACCESS_DENIED. Otherwise, if there is an object in the database that has an objectGUID attribute value that corresponds to the value in the Message.ResetBadPwdCount.Guid field, the responder MUST update the badPwdCount attribute to zero. The database updates MUST be done in one transaction. If the database transaction succeeds, the responder MUST return STATUS_SUCCESS; otherwise, the responder MUST return an error code, as specified in section 2.2.9.