Re: Account lockouts
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 04/30/03
- Next message: Mattias Nyholm: "Re: Patch 331953 messes up my system"
- Previous message: James: "How do I setup a Domain-Wide Legal Notice message for login?"
- In reply to: Mark Palmer: "Re: Account lockouts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Apr 2003 07:59:03 -0400
Is it disabled or did you undefine it. There is a difference.
-- Joe Richards www.joeware.net -- "Mark Palmer" <mp@no.spam.com> wrote in message news:008501c30ee2$81beaaa0$3301280a@phx.gbl... > Yes you are most indeed correct in saying that to disable > lockout policy is in fact a domain wide setting, I had > worded my explaination incorrectly. However what I do > not understand is that if it is disabled (which it is) I > should not be having this problem ... or am I still > missing something. I do have every hotfix/update > installed on both the server and clients but I will try > increasing the timeout value for the file server. Thanks > very much for your recent reply. > > > Joe Richards wrote: > > >First off you can't disable lockout policy for specific > accounts, it is a domain wide setting. > > > >Second, enable auditing on your domain controllers and > member servers, specifically the logon failures auditing > >categories and then look in your security logs. In the > several years I have been managing the 250k+ userids in my > >domains, I was aways able to track the bad passwords > events to specific machines. It could be applications > running in > >the background with cached credentials or it could be > the people are logged on in places they didn't think they > were. In > >fact just today I processed a trouble ticket for a > person who would have sworn on their parents lives they > were logged > >on in multiple locations so I dumped the event logs and > found out they had a terminal service session open to a > machine > >they hadn't touched in months. > > > >Note that Win9x machines do have bugs that cause them to > cause multiple bad attempts for every one real attempt. > >Depending on hotfixes installed on the machines you > could get 2 or 3 bad attempts. This means if you have the > concept of > >a 5 bad password lockout policy and you have Win9x > machines, you should probably actually set your policy to > 15 bad > >password hits. > > > >Finally, apply every single hot fix available for your > domain controllers that have anything to do with the > >authentication bins such as LSASS, kerberos, etc and > also consider increasing the timeout value for > connections on any > >file/print servers that the Win9x clients have to hit > because there is a known issue with Win9x machines > sending bad > >credentials to servers when RE-Establishing connections > that have timed out due to inactivity. > > > >-- > >Joe Richards > >www.joeware.net >
- Next message: Mattias Nyholm: "Re: Patch 331953 messes up my system"
- Previous message: James: "How do I setup a Domain-Wide Legal Notice message for login?"
- In reply to: Mark Palmer: "Re: Account lockouts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
