Re: User Notification of Failed Logins and Controlling Concurrent Sess



Don, while there are some utilities that can help you with #2 (including a Resource Kit tool called CConnect), the architecture of SMB networking is such that it's generally not practical to do this. Remember, users can still use domain resources without logging on. They can power up a PC without a network connection, then connect to the network, and directly access resources. If the computer isn't domain-joined, then Windows will prompt them for a user ID and password--which is used to authenticate directly to the destination resource.

Please help me understand what potential security risks you are looking to address with your two requirements. And for #1, how would this information be useful to a user? What action could they take with this knowledge, other than perhaps to be afraid of things they really can't control?

--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Don Catanzaro" <Don Catanzaro@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:41DF6FA5-FF82-4D96-9A46-DBA29D26082C@xxxxxxxxxxxxxxxx
I have been searching for a soultion that has been vexxing my Security
program. I work for a large company (+10,000 employees) who utilize Windows
XP on Desktops and we are in the process of moving from Server 2000 to 2003.
I'm looking for a way to do two things within our enviornment:

1) Notify Users upon login how many failed attempts there has been since
their last successful attempt and ;
2) Limit specific users to only one concurrent session.

I haven't really found a good solution for this. Because of the size of the
company, any user can log into any of a 100 DCs and this complicates finding
practical solutions for both of these items.

Thanks in advance for any ideas you folks might have.

.