Re: Account Lockout Policies

"bm" <bm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5AA9CDD1-8EDC-4D52-A9DD-062C9E3B25F6@xxxxxxxxxxxxxxxx
My apologies if I'm not posting in the correct newsgroup. My question is
if
there's a way to set up a security policy on Windows 2003 DC which is
lockout
or disable a user that dosn't log into the domain for a specified amount
of
time. For example a user that hasn't logged into the domain for 30 days
will
be locked out???


Not built-in, however something close would not be impossible to implement.

One point however, lockout is usually a temporary account state triggered
by invalid login attempt, and lockout duration (or its being non-temporary)
may only be set the same of all accounts of the domain.

I think you were perhaps meaning disable the account after non-use for
so long. You would need to determine, such as in a script or your in-use
enterprise mgmt suite, which accounts have not logged in for 30 days.

This might not be as simple as it sounds as the last login timestamps do
not reflect all valid authenticated uses of an account. Attempting to use
event logs to fill this gap would imply logging of successful domain logins
(which is often not enabled due to the huge volume of events generated)
and would mean monitoring/reading the security logs on all DCs.

That said, if you can define a satisfactory determination logic, disabling
the so determined account is trivial/simple such as run in a nightly task.

Perhaps your more direct option would be to adjust the days of nonuse
and password change intervals so they are the same, and then nightly
read accounts with expired passwords and verify they are disabled.

Roger


.

Relevant Pages

  • Re: strong passwords
    ... Domain Security Policy under account policies/password policies. ... lockout settings are in the category for account lockout policy under ... Having said that I would strongly discourage disabling password complexity ...
    (microsoft.public.windows.server.security)
  • RE: Scavanging retired machine accounts
    ... Here's a script I wrote a while back that does exactly what you want. ... 'pull back a list of every user's account name and distinguished name ... we're probably only interested in the disabled computer accounts ... 'There is no point disabling PCs based on how many weeks it's been since the ...
    (microsoft.public.windows.server.scripting)
  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ...
    (Focus-Microsoft)
  • Re: FW: Trace of 139 attack?
    ... /complex—Forces passwords to have a mixture of upper ... > the admin account on local logins (physical security ... >> deleting the logs he cannot do it. ... >> ur Server ur logs will ...
    (Focus-Microsoft)
  • Re: "Enabling" an already enabled user account?
    ... Is that user having problems in all machines or just that one? ... (Logon failure: account currently disabled. ... see Help and Support Center at ... > I've tried actually disabling the account and then re-enabling and with ...
    (microsoft.public.windows.server.active_directory)