Re: SP4 and n-2 password protection?

From: Matt Scarborough (vexversa_at_verizon.net)
Date: 06/30/03 

Date: Mon, 30 Jun 2003 05:46:45 +0000

On Sat, 28 Jun 2003 13:16:04 -0700, Scott wrote
<018201c33db2$19e46f60$a301280a@phx.gbl>
> There was some ammount of advertising earlier this year
> regarding a new capability coming with SP4 and Windows
> 2003 called N-2 password protection. It was designed to
> protect accounts from being locked out from there last
> two valid passwords.

I believe Password History Check (N-2) and Single User Object Replication
are both rolled into
http://support.microsoft.com/?scid=812499

As such, both are enabled by default in Windows 2000 Server in an AD Domain
running at SP4.

> This is a critical feature that my company desperately
> needs. There is ZERO documentation regarding the
> inclusion of this and other related fixes in SP4.
>
> Could someone at MS please assist with tracking this
> down? It would also be highly advised to post this
> information in the SP4 Readme if it is included as this
> changes account lockout behavior and could be unexpected.

I agree this could be documented better. If MS has implemented this
correctly, Password History Check (N-2) really doesn't weaken the security
posture. The Win2k3 version is here.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp
but Win2k SP4 documentation needs clarified.

The bottom line for me is that applications with expired passwords fail
instead of locking out the account. Same with users. When Sally uses last
months password on a Monday morning, she's simply denied access rather than
locking herself out. The unexpected change in SP4 may be fewer lockouts. :)

Or maybe I'm wrong and getting this documented for Win2k is the better
answer...

Matt Scarborough 2003-06-30

Relevant Pages

  • Re: Error 0x800A0046
    ... This bit sounds exactly like the issue I'm having on a W2K server SP4. ... Little icon appearing, click it, it disappears, only to come back ... domain account. ...
    (microsoft.public.windowsupdate)
  • Re: SP4 and n-2 password protection?
    ... DC from SP3 and a win2K server. ... account was locked out. ... Win2k SP4 DC in Native mode with Exchange 2K ...
    (microsoft.public.win2000.security)
  • RE: Re-installing SP4
    ... I'm guessing the problem was probably caused by running SP4 with an account ... I will try unregistering the components with the service account but what is ... > guids are improperly ACL'd w.r.t. to your SQL Server Agent account. ...
    (microsoft.public.sqlserver.replication)
  • Re: SP4 and n-2 password protection?
    ... >> regarding a new capability coming with SP4 and Windows ... > I believe Password History Check (N-2) and Single User Object Replication ... >> changes account lockout behavior and could be unexpected. ... > but Win2k SP4 documentation needs clarified. ...
    (microsoft.public.win2000.security)
  • Re: SP4 and n-2 password protection?
    ... > regarding a new capability coming with SP4 and Windows ... > 2003 called N-2 password protection. ... There is ZERO documentation regarding the ... > changes account lockout behavior and could be unexpected. ...
    (microsoft.public.win2000.security)