re: Account lockout tools....

Gregor Suttie — Thu, 30 Dec 2004 00:22:00 GMT

Many Thanks for this as I was getting locked out a lot at work and can now use these links to find out why I was being locked out.

Cheers
Gregor

re: Account lockout tools....

Lurker 1138 — Thu, 30 Dec 2004 01:15:00 GMT

How about a self-serve website for users to recover forgotten passwords, change passwords, and update other info in AD like phone number?

re: Account lockout tools....

Drew — Thu, 30 Dec 2004 02:32:00 GMT

I'll disagree with you, Bruce. IMHO password lockout is evil. It's an excuse to forego the use of strong passwords (or "passphrases") or smartcards and it creates the possibility for a nasty DOS attack. Even if you use IPSEC to limit logons to come from only your forest's machines you have the possibility of malicious disgruntled employees DOSing one another. Auditing can catch the culprit after the DOS has happened, but that is more administrative overhead and it still means that some innocent was locked out and lost productivity. Even auditing might not help if the attack were spread virally to lots of machines.
We have an account lockout policy on ntdev (the domain I'm in at work) and I also know that if I tried to lock someone out (for 30 minutes according to what rsop tells me now, but I could attack again 30 mins later) someone would porbably figure out that I did it and that would be the end of me at Microsoft. Then again, there are a few shared test accounts I know of in ntdev and we have some debuggers in our lab that are joined to the domain, so . . . I doubt I'd get away with it now that you know my evil plans. Drat!

Account Lockout Tools

Kent J. Chen's Weblog — Thu, 30 Dec 2004 04:15:00 GMT

Account Lockout Tools

Kent J. Chen's Weblog — Thu, 30 Dec 2004 04:16:00 GMT