If your domain contains Windows 2000 domain controllers and Windows 2000 servers and/or clients, users are charged twice for each incorrect authentication attempt.

Windows 2000 first uses the Kerberos authentication method. If that does not succeed, Windows 2000 tries the Windows NT challenge/response (NTLM) authentication protocol. When the user specifies an incorrect password, they are charged twice for the one authentication attempt.

NOTE: You can inspect the NetLogon.log file and see the NTLM attempts. To also track the Kerberos attempts, see How can I enable Kerberos event logging?