Re: Account Lockout

From: Kirk Schafer (infosec-capital_at_rainswept.com)
Date: 10/20/04

  • Next message: Adrian DuPre: "Best practices for implementing Cisco ACS?" 
    Date: Tue, 19 Oct 2004 19:18:57 -0500
To: security-basics@securityfocus.com

    Ah. The short answer is: not without somehow involving an adminsitrator.
    The right isn't available in MMC | Group Policy. If this is Active
    Directory, check these:

    "How to delegate the unlock account right"
      http://support.microsoft.com/?kbid=294952
    "How to Grant Help Desk Personnel the Specific Right to Unlock Locked
    User Accounts"
      http://support.microsoft.com/?kbid=279723

    Failing that, another way to involve the administrator but not the user
    could involve:
      Create a scheduled task that runs as administrator
      Set the scheduled task to periodically run a script that looks for a
    "reset this user" flag.
      When that flag is found, the reset it executed and the flag is cleared.

    Assigning the task to run as Admin means that you don't have to give the
    password out. Obviously, rights should be set to restrict access to all
    files involved, and the script hardened against invalid requests. The
    task will prompt for the admin password again if anyone tries to change
    it. If you always know what user has to be reset, you could use a simple
    bactchjob that calls CHOICE to ask "reset account (y/n)".

    A nuisance factor is that the task would have to be scheduled fairly
    frequently to be effective. A couple of ways to start tasks on demand
    (say, from a shortcut) are:

    Windows Server 2003:
      http://support.microsoft.com/?kbid=814596

    Windows 2000:
      
    http://www.microsoft.com/downloads/details.aspx?familyid=601d75e2-f907-4e51-ad88-adb818df1d27&displaylang=en

    Just an idea.

    Kirk

    Peter Rodger wrote:

    >Thanks for your reply. The problem resides in my
    >envir. We can not use domain admin account as these
    >group work in other clients' office and they are not
    >in my domain. They need to unlock one share local
    >user account (local computer, not domain user account)
    >in case the account is locked out. But, they are only
    >power users.
    >
    >Can they (power user) unlock this local user account
    >(on each local computer)?
    >
    >Thanks,
    >
    >Peter
    >
    >
    >
    <snip> 

    -- 
___________________________________________________
Kirk Schafer
Infosec Capital - Your Information Security Asset
308 East Broadway Ave, PO Box 1851
Fairfield, IA 52556
641-919-1783 (mobile)
http://www.infosec-capital.com
  • Next message: Adrian DuPre: "Best practices for implementing Cisco ACS?"

    Relevant Pages

    • Re: Password Reset and Unlock unable to disable..
      ... Even though the pick is there, if the delegation is done correctly they will not be able to do a reset or unlock. ... Even under the Account tab the option user must change the password for the next logon is not deem. ... and I have don;t have the full administration access to modify certain group or security permission but I able to view it. ...
      (microsoft.public.win2000.active_directory)
    • Re: Giving rights to a group to reset and unlock users in a AD domain
      ... To reset password use the "delgate control" wizard and also use the settings in the article to give the permissions to unlock accounts: ... The AdminSDHolder process runs on some protected groups and removes delegated permissions and inheritance if set. ... "Account Password Reset group" and I need to give them the right to ...
      (microsoft.public.windows.server.active_directory)
    • Re: Grant right to unlock accounts?
      ... How To Delegate the Unlock Account Right: ... This posting is provided "AS IS" with no warranties, and confers no rights. ... At the moment user in this container have the ability to reset the ...
      (microsoft.public.windows.server.active_directory)
    • Giving rights to a group to reset and unlock users in a AD domain
      ... I am trying to add this group of users, who we are calling the "Account ... Password Reset group" and I need to give them the right to reset any ... only reset and unlock users within their own "Account Password Reset ...
      (microsoft.public.windows.server.active_directory)
    • Re: Locked Out
      ... locked and an administrator will need to unlock the account either by ... logging onto the local computer or the domain. ... How do I unlock the computer so that I ...
      (microsoft.public.win2000.security)