General discussion

  • Creator
    Topic
  • #2326767

    Password Lockout

    Locked

    by nightcrawler ·

    W2k SP2 AD domain.
    Account lockout policy is for 6 invalid attemps then account is locked for 9999days. Counter 2mins

    Logon onto w2k pro machine, then lock workstation and enter an invalid password more than 6 times, message says “account disabled” (so far so good). However if you then enter the corerct password, it will unlock the workstation and get into the desktop. After about 30secs, it would appear that the session has ended due to the account being locked out. However, my concern isthat anyone could “guess” a password on a workstation and gain unauthorized access to the machine for about 30secs. (enough time to cause some damage)
    I reliase SP3 will fix the invalid message from “account disabled” to “account locked out” but nothing on technet refers to this specific problem

    Has anyone come across this or know how to cure the problem.

    Any ideas would be appreciated.

    Thanks

All Comments

  • Author
    Replies
    • #3494929

      Password Lockout

      by kinetechs ·

      In reply to Password Lockout

      Hello,
      I’m not sure about this one, since I haven’t tested it yet, but you may want to try setting “The number of previous logons to cache” entry in either Local Policy or Group Policy to 0 (zero). It’s located in “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options”.

      It’s the first thing that came to mind when I read the problem.

      Cheers!
      ~Sean

      • #3515944

        Password Lockout

        by nightcrawler ·

        In reply to Password Lockout

        Thanks for the comments Sean. I did try this and it had disaterous effects in that people who took laptops away from the office were not able to log on to them (presumably because there were no passwords cached).

        Any more ideas? ? ?

    • #3515910

      Password Lockout

      by kinetechs ·

      In reply to Password Lockout

      Working off my previous suggestion.

      1) Create a NEW GPO with the cache setting.
      2) Create a security group that includes all the laptop COMPUTER accounts.
      3) On the newly created GPO, go to the Security tab on the Properties page.
      4) Add a newentry for the group created in step 2 above and Deny Read and Apply permissions.
      5) Test

      This will not allow any computer in the group to apply the GPO. Add other computers as needed. This setting will not apply to Administrators loging in.Cheers!
      ~Sean

Viewing 1 reply thread