Re: lock out a ad account when it is not in use

Hi,

today i had a eeting with my supervisor, because of this security
policy. I was able to satisfy my supervisor that this policy is to
strict and that it is to much work to implement this... so i don't
have to implement this now.

thank you for your help anyway...

Best regards

Marko Schustek


On 14 Feb., 22:00, "Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByD...@xxxxxxxxx> wrote:
you can still script it...

user objects have logonCount attribute and the whenCreated attribute....

what you could do is check for user objects for logonCount=0 and then
determine if currentdate-whenCreated > 2 days

if yes, disable theaccount

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
---------------------------------------------------------------------------­---------------
* How to ask a question -->http://support.microsoft.com/?id=555375
---------------------------------------------------------------------------­---------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
---------------------------------------------------------------------------­---------------
#################################################
#################################################
---------------------------------------------------------------------------­---------------"Marko Schustek" <m.schus...@xxxxxxx> wrote in message

news:b036a0a0-cfc2-4b5c-830f-cc8f01ea5138@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
i see, my english is to bad... you understood wrong... not all the
time the accounts should be disabled... only when we created a new
useraccountand the user doesn't logon within the next two days...
only if the user doesn't login within these two days, theaccount
should be disabled.
after he successfuly logged in within these two days theaccountcan
only be locked automatically, if the user tries to many wrong
passwords...

you are right, that would not be very good practice...

Thanks a lot for so many answers... i hope i can implement these
things...

 On 13 Feb., 20:40, "Jorge de Almeida Pinto [MVP - DS]"



<SubstituteThisWithMyFullNameSeparatedByD...@xxxxxxxxx> wrote:
you cannotlockanaccount. you can however disable it. You could write a
script that does this for you. however those 2 days are going to be a lot
of
fun for you and your support desk right after the weekend.
imagine this
(1) on friday people can still logon
(2) saturday --> 1 day
(3) sunday --> 2 days
(4) monday --> allaccountare disable and nobody can login

not a good practice I guess.

also think when people go on vacation, have a few days off, etc, etc

why is that needed?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
---------------------------------------------------------------------------­­---------------
* How to ask a question -->http://support.microsoft.com/?id=555375
---------------------------------------------------------------------------­­---------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
---------------------------------------------------------------------------­­---------------
#################################################
#################################################
---------------------------------------------------------------------------­­---------------"Mupfel"
<m...@xxxxxxxxxxxxxxxxxx> wrote in message

news:0613ce98-3abb-4ede-b129-8a2849984881@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

hi there,

my name is Marko and i need to know whether the following thing is
possible?

My Company got a new security Policy.

Every new created Active DirectoryAccounthas to be locked, if there
is no login within two days.

is that possible?

Thanks for your answers- Zitierten Text ausblenden -

- Zitierten Text anzeigen -- Zitierten Text ausblenden -

- Zitierten Text anzeigen -

.

Relevant Pages

  • Re: Domain Security policy
    ... The group policy does'nt apply to the user pc even thought i logoff and login ... I would suggest to design your OU structure to reflect your ... GPOs set. ...
    (microsoft.public.windows.server.active_directory)
  • Re: 3rd party AD password policy tool
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... If I block inheritance would I only block the user OU's I created? ... or make any unwanted changes to the domain or computer accounts. ... The reason for this is we want to enforce the same policy company wide but ...
    (microsoft.public.win2000.active_directory)
  • Re: New Mailbox Policy - [WildPacket]
    ... Read my blog! ... You define the Administrator on the properties of the server, Mailbox ... distribution/security group) to filter the Recipient Policy. ... Store if you wish... ...
    (microsoft.public.exchange.admin)
  • Re: 3rd party AD password policy tool
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... The reason for this is we want to enforce the same policy company wide but ...
    (microsoft.public.win2000.active_directory)
  • Re: hiding contacts from directory search (LDAP)
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... policy and denying that right on the policy. ... the majority that I want to deny makes up about 80-90%. ...
    (microsoft.public.windows.server.active_directory)