Re: Lock Account/Logoff Time-out
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 12/09/04
- Next message: JN: "Re: HELP Can't get online virus scans or AVG to work"
- Previous message: spam-hater: "Re: HELP Can't get online virus scans or AVG to work"
- In reply to: Todd: "Re: Lock Account/Logoff Time-out"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Lock Account/Logoff Time-out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 9 Dec 2004 13:58:50 -0700
Well, the newer newsgroup for group policy is
microsoft.public.windows.group_policy
The policies you seem to be using is are not Account Policies
and therefore do not need to be set domain-wide, but can be
differentially enforced (per server, not per account)
These policies which you seem to use are in the branch of GPO
Comp \ Windows \ Security \ Local Policy \ Security Options
namely (in W2k3 prefixed with MS network server)
Amount of idle time required before suspending session
and possibly
Disconnect clients when logon hours expire
However, these settings apply to network logins onto the server
where the policy has effect.
>From your initial post it sounds like you have something in place
that logs an account off after 24 hours idle. Perhaps there is a
custom policy that ships as a part of SBS to do this, but I do not
believe there is a std policy in (non-SBS) AD to log a user off after
a set time - only the above two for network logins/sessions.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCDBA, MCSE W2k3+W2k+Nt4 "Todd" <Todd@discussions.microsoft.com> wrote in message news:2BE383E6-2FB6-4B9D-93E3-280816EE3E31@microsoft.com... > Thanks for the posts: Lanwench - I too expect users tolo out every > night - > hence my problem with this application. I have checked with the vendor > and > verified that it can't be run as a service - the application is a project > management add-on to Quickbooks. It's actually a really neat program, but > obviously causes security concerns. Ross - Unfortunately, with SBS 2000, > you > can only have 1 DC on the network. > I think my best course of action is to modify the Group Policy settings > for > the entire network to allow all users to indefinately be logged on. Would > you agree? I would actually prefer to modify settings so user accounts > could > be indefinatlely locked instead. Either way, I don't know where/how to > configure this. Any help is greatly appreciated. I also can't seem to > locate > the newsgroup for group policy. Thanks again. > Todd > "Ross Smith" wrote: > >> Hmm... was going to reply 'No way around it that I know of.', but I did >> some >> digging and I think I've got a couple of ideas for you. >> >> First of all, don't even try to look for a workaround for that individual >> account. Even in Windows Server 2003, there can only be one set of >> account >> policies per domain. If this is the way that program needs to run, you >> *have* to change your account policies to support it. >> >> I suppose in theory you could create a new domain within the same forest >> and >> create an admin account for this service under that domain. It's not >> something I've ever put into practice, you would need another DC for the >> second domain and I've not used SBS 2000 so I couldn't advise you on >> whether >> that's supported or not. I think this would work but I would advise you >> to >> do plenty of research yourself if you want to try this route. >> >> A better way is to change your policies to support this software and then >> re-evaluate the security on the rest of your network, to see if there is >> an >> alternative policy that could have the same effect. I vaguely remembered >> someone using screensavers to achieve this and found the following >> article >> on the knowledgebase: >> >> How To Force Users to Quit Programs and Log Off After a Period of >> Inactivity >> in Windows XP >> http://support.microsoft.com/default.aspx?scid=kb;en-us;314999&sd=tech >> >> Hope that helps, can you reply to the board and let us know how you get >> on. >> >> Ross Smith MCP, MCSA >> >> >> "Todd" <Todd@discussions.microsoft.com> wrote in message >> news:D3025B9E-5142-4030-97C9-9CF86B461C3B@microsoft.com... >> > I have a SBS 2000 network. Default settings in my domain log users off >> > (either locked or idle) after about 24 hours. We recently installed an >> > application that needs to be running 24/7 with a user account logged on >> with >> > admin rights. For security purposes, I would prefer to log the user on >> and >> > lock the account. The problem is after 24 hours, the user is >> automatically >> > logged off; therefore shutting down the application. My questions is: >> How >> > can modify the GP settings so user accounts can be locked indefinately? >> > I >> > appreciate your help. >> >> >>
- Next message: JN: "Re: HELP Can't get online virus scans or AVG to work"
- Previous message: spam-hater: "Re: HELP Can't get online virus scans or AVG to work"
- In reply to: Todd: "Re: Lock Account/Logoff Time-out"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Lock Account/Logoff Time-out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
