Re: Password Change Utility

anonymous_at_discussions.microsoft.com
Date: 09/08/04 

Date: Wed, 8 Sep 2004 06:18:53 -0700

We do already have a lockout policy created... The
accounts do not even unlock after a specific time, our
service desk is required to unlock accounts. I am more
concerned with the idea of having an application
available to our users that asks them a few questions
then resets their accounts for them. I don't think the
program they are looking at using stores the passwords in
a table? It just seems to me like we would be opening a
huge gaping hole, I am just having a hard time revealing
it. Any recomendations would be greatly appreciated.

>-----Original Message-----
>I don't like the idea either as you will have to have
a "database" of their passwords
>stored somewhere as passwords are not stored in Active
Directory - their hashes are
>which can possibly be recovered by a program like LC5
but that could take a long time
>if lm hash storage is disabled and the user has a
password like " 77Yy!@--bb£)) ". I
>would reconsider your lockout policy. Microsoft
recommends that you use a lockout
>threshold of no less than ten and to implement complex
passwords. If you do such and
>have a lockout time period of ten minutes, you can
eliminate most administrator
>intervention in reactivating an account and still
effectively deter brute force
>password attacks. If you implement a password lookup
program, you end up with lazy
>users. They just have to learn to be more careful in
managing their passwords. The
>link below is official Microsoft stuff on account
lockout policy
>ecommendations. --- Steve
>
>http://www.microsoft.com/technet/Security/prodtech/win200
3/w2003hg/sgch02.mspx#XSLTsection123121120120
>
>"sfling@cardone.com"
<anonymous@discussions.microsoft.com> wrote in message
>news:77bb01c494fd$d1c74230$a501280a@phx.gbl...
>> Our company is looking into the possibility of
>> implementing a program on our Windows 2003 domain that
>> would enable the end user to reset their password and
>> renable their account if locked out. They will be
asked a
>> few personal questions then the program will change
their
>> password and display a 128 bit encrypted web page
>> displaying their password. I am not personally in
>> favor of this application running on the network and I
am
>> looking for any suggestions that I may need to look out
>> for. Any suggestions???
>
>
>.
>

Relevant Pages

  • Re: Account lockouts
    ... First off you can't disable lockout policy for specific accounts, it is a domain wide setting. ... Second, enable auditing on your domain controllers and member servers, specifically the logon failures auditing ...
    (microsoft.public.win2000.security)
  • Re: Accounts getting locked
    ... the GPO at the top of the list has precedence for defined settings. ... "net accounts" on a domain controller to see what it reports for lockout policy. ... Local user accounts may have a different lockout policy than domain accounts if ...
    (microsoft.public.win2000.group_policy)
  • Lockout inactive AD Accounts
    ... I've gone through the security policies for accounts in AD 2003. ... find a lockout policy for inactive accounts. ... woudl have to look at 3rd party soluitions. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Counting within Groups within a Report
    ... Customer footer. ... Then the Salesperson footer can display its total by using a ... Total No. Accounts (display) - Working ... Total No. Accounts - Can't get this to work! ...
    (microsoft.public.access.reports)
  • Re: iRacing free one month "demos" for GPL & NR2003 fans
    ... free trials using different aliases (ignoring the ... AND YOU HEREBY CONSENT TO SUCH DISPLAY. ... IF YOU ARE AUTHORIZING A MINOR CHILD TO USE THE ... Many know that fictitious names can be used with Pay Pal accounts, ...
    (rec.autos.simulators)