General discussion

Locked

Password Lockout

By NightCrawler ·
W2k SP2 AD domain.
Account lockout policy is for 6 invalid attemps then account is locked for 9999days. Counter 2mins

Logon onto w2k pro machine, then lock workstation and enter an invalid password more than 6 times, message says "account disabled" (so far so good). However if you then enter the corerct password, it will unlock the workstation and get into the desktop. After about 30secs, it would appear that the session has ended due to the account being locked out. However, my concern isthat anyone could "guess" a password on a workstation and gain unauthorized access to the machine for about 30secs. (enough time to cause some damage)
I reliase SP3 will fix the invalid message from "account disabled" to "account locked out" but nothing on technet refers to this specific problem

Has anyone come across this or know how to cure the problem.

Any ideas would be appreciated.

Thanks

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Password Lockout

by Kinetechs In reply to Password Lockout

Hello,
I'm not sure about this one, since I haven't tested it yet, but you may want to try setting "The number of previous logons to cache" entry in either Local Policy or Group Policy to 0 (zero). It's located in "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options".

It's the first thing that came to mind when I read the problem.

Cheers!
~Sean

Collapse -

Password Lockout

by NightCrawler In reply to Password Lockout

Thanks for the comments Sean. I did try this and it had disaterous effects in that people who took laptops away from the office were not able to log on to them (presumably because there were no passwords cached).

Any more ideas? ? ?

Collapse -

Password Lockout

by Kinetechs In reply to Password Lockout

Working off my previous suggestion.

1) Create a NEW GPO with the cache setting.
2) Create a security group that includes all the laptop COMPUTER accounts.
3) On the newly created GPO, go to the Security tab on the Properties page.
4) Add a newentry for the group created in step 2 above and Deny Read and Apply permissions.
5) Test

This will not allow any computer in the group to apply the GPO. Add other computers as needed. This setting will not apply to Administrators loging in.Cheers!
~Sean

Back to Windows Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums