Re: Replication of password resets/unlocks
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Tue, 20 Jun 2006 09:26:09 -0400
There are two aspects to your question.
The first is about password changes. Assuming that the reg key AvoidPDCOnWan isn't set (which is handled via the policy setting previously mentioned) passwords will be sent immediately out of band to the PDC when changed on a local machine. When a user tries to log on with the new password to a machine which doesn't have the new password again assuming to AvoidPDCOnWan setting, it will do what is called a PDC-Chain to send a request to the PDC to ask if the password is correct. If the password is correct, the PDC will ok the authentication and assuming you are on 2KSP4 or better will send a special replication down to the local DC to update that object - this is called ReplSingleObj in repadmin.
The second is about lockouts. Unlocks changes are not immediately sent to the PDC, they replicate normally. Also if a user tries to logon to a locked account, it will not necessarily chain that request to the PDC. I haven't dug into the specifics but I believe that occasionally it will check with the PDC to see if the account has been unlocked but not for every auth attempt, this is so a PDC will not be overwhelmed by attempts to auth a locked account (I have seen machines sending upwards of 100+ auth attempts a second for locked accounts).
The thing is, that lockouts really shouldn't be for a very long period of time. I feel that most companies incorrectly implement lockouts. It is very common to see a policy of 5 bads that lock the user for an hour. This is silly because a single bad auth could cause 3 bad authentication attempts, possibly more if you use custom authentication providers. Also what is the point of a 60 minute lockout? It is to really cause serious pain for your users. The idea behind auto lockout is to prevent brute force systems from sending thousands of passwords an hour to crack a password, if that is the case, then setting the lockout policy to 25 bad attempts and locking the account out for say 5 minutes is just as good from a security perspective; it will seriously impact the ability for a brute force attack. From the usability standpoint, it will only lockout users who have really screwed up with their password and give them just enough time to realize they really screwed up but take less time than a call to the helpdesk for an unlock and replication of the unlock meaning that if they call the helpdesk for a rest, the only mechanism that comes into play is the one in the first paragraph above which works fine.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Rajneel wrote:
Hi all,.
Please excuse me if the query is a little trivial but I've been informed our Windows 2003 AD structure has been configured to replicate between DCs every 15 mins and even this will be subject to network traffic factors.
Will this mean that those users on different DCs to the Helpdesk will potentially have to wait 15mins or longer to be able to login once a password has been reset or account unlocked?
Thanks in advance!
- Prev by Date: Re: Slow Logon
- Next by Date: Re: AD tools
- Previous by thread: Re: Replication of password resets/unlocks
- Next by thread: Re: Replication of password resets/unlocks
- Index(es):
Relevant Pages
|
