Re: Account lockouts
From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: Wed, 05 Jan 2005 18:32:45 -0800
Why don't you just disable account lockout? This feature is in the product
only to satisfy old-style auditing requirements and the military. Really,
though, it's more of a pain than anything else. Account lockout supposedly
protects you from password guessing or cracking attacks. In reality they
*create* opportunities for denial-of-service attacks, and this could be what
you're experiencing. Users accidentally DoS themselves out of accounts all
the time; attackers can easily DoS entire domains since user IDs are rarely
If you enforce strong passwords with group policy or a passfilt.dll, then
you don't need account lockout at all. Someone did a study once that showed
the average cost for doing a password reset or account unlock is US $70.
There are better things to do with that money and time!
> Hopefully this is the correct group to post to. my problem is as
> One user's account keeps getting locked out. Using w2000 auditing i
> have established from which computer it is that teh failed logon
> attempts are happening.
> Unfortunatly they are happening from a Terminal Server connection. I
> have not been able to find a way of auding which computer it is that
> is connecting to the terminal server and then creating 3 failed logon
> Is there anu way of audting computer connections to a server?
> We are in a AD w2000 domain with the latest sp's installed.