Re: Account Lockout Policies
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 30 Aug 2007 22:48:44 -0700
"Bogwitch" <Bogwitch@xxxxxxxxxxxxxxxxxxx> wrote in message
news:J7DBi.47020$1G1.30781@xxxxxxxxxxxxxxxxxxxxxxx
Roger Abell [MVP] wrote:
[snip]
Perhaps your more direct option would be to adjust the days of nonuse
and password change intervals so they are the same, and then nightly
read accounts with expired passwords and verify they are disabled.
Roger,
Slight flaw there. Imagine a user who last used the system just before the
password change reminder. Let's assume 14 days. Now, that user will have
an expired password in 14 days, not 30 days. Now remember that most users
(IMO) won't change their password until they absolutely positively have
to....
Bogwitch.
Well observed Bogwitch, and stated.
The solution to poster's is either being overlooked
or it is even more deeply messy, as you show.
One's nightly process would need to track the age
of first expiry of the pwd, disabling only upon an
uninterrupted 16 days (per your example) in expired
pwd state, so it is soluble. The use of this delay
counter might even work with the need to adjust the
"lockout" threshold and the pwd aging settings
(age and prewarn) toward each other. But still,
needing to persist info, being no longer a stateless
simple script, raises the bar for the nightly's code.
Good catch; thanks.
Is there really no direct, reliable, way to determine
accounts qualifying for the poster's scenario ?
Roger
.
- References:
- Re: Account Lockout Policies
- From: Roger Abell [MVP]
- Re: Account Lockout Policies
- From: Bogwitch
- Re: Account Lockout Policies
- Prev by Date: Re: preventing Vista Firewall from beeing disabled by users
- Next by Date: Re: Access denied on Homeshare with FQDN, fine with Shortname
- Previous by thread: Re: Account Lockout Policies
- Next by thread: mixed authentication and LogonUser token in forms ticket - safe?
- Index(es):
Relevant Pages
|
