Re: How to allow a user to unlock user accts from XP box?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 19 Jan 2006 12:46:18 -0500

I have lockout set to 10 and I've never had a user get locked out from
password errors that I remember. You can set lockout to automatically
unlock after X minutes, but unless it's a fairly long period, you risk
allowing someone to resume a dictionary attack if that's what caused it. I
don't have lockout automatically unlock because I want to know what locked
the account first.

AFAIK there's no way to unlock an account other than in AD, and the only
alternative to letting someone log in at the server is RDP. I gave my boss
printed instructions on how to remote into the server from his desktop to
unlock accounts, but he's never had to do it. That way, he doesn't have an
admin-level account himself, but would use the built-in administrator
account over RDP if he had to unlock somebody.

"Tammy" <Tammy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:91453DE7-D05C-4605-ADEB-076E0187114F@xxxxxxxxxxxxxxxx
> Hello all,
>
> We are using SBS2003 Premium (no SP1) in a small office with approx 14
> workstations running Windows XP Pro SP2.
>
> I believe my question is simple :-)
>
> When myself, or our developer are not available, and a user account is
> locked they have to wait until either one of us are available to unlock
> the
> account. We want to provide this capability to a designated user in the
> office but I was hoping they could do this task from their workstation, as
> opposed to the server. I could provide them instructions for how to do on
> the server (in Server Management) but really do not want them on there for
> obvious reasons.
>
> Any tips on how to accomplish this? User accounts are configured to
> lockout
> after 10 failed attempts so this will not happen very often but still
> would
> be handy.
>
> Thanks so much in advance!
> Tammy

.

Follow-Ups:
- Re: How to allow a user to unlock user accts from XP box?
  - From: Steve

Prev by Date: Re: MD wants to see what a user has done...
Next by Date: Upgrading from Windows 2000 to Windows 2003 SBS
Previous by thread: Remote Connection Disk SBS 2003
Next by thread: Re: How to allow a user to unlock user accts from XP box?
Index(es):
- Date
- Thread

Relevant Pages

Re: Replication of password resets/unlocks
... Assuming that the reg key AvoidPDCOnWan isn't set passwords will be sent immediately out of band to the PDC when changed on a local machine. ... I haven't dug into the specifics but I believe that occasionally it will check with the PDC to see if the account has been unlocked but not for every auth attempt, this is so a PDC will not be overwhelmed by attempts to auth a locked account. ... The idea behind auto lockout is to prevent brute force systems from sending thousands of passwords an hour to crack a password, if that is the case, then setting the lockout policy to 25 bad attempts and locking the account out for say 5 minutes is just as good from a security perspective; it will seriously impact the ability for a brute force attack. ... From the usability standpoint, it will only lockout users who have really screwed up with their password and give them just enough time to realize they really screwed up but take less time than a call to the helpdesk for an unlock and replication of the unlock meaning that if they call the helpdesk for a rest, the only mechanism that comes into play is the one in the first paragraph above which works fine. ...
(microsoft.public.windows.server.active_directory)
account lockout issues...
... I have a couple of question regarding the account lockout policy. ... I had originally set a local policy on our Win2K terminal server such ...
(microsoft.public.backoffice.smallbiz2000)
Re: Username Vulnerability???
... Open Server Manager> highlight the PDC ... Password Policy and Account Lockout Policy are both ...
(microsoft.public.windows.server.general)
Re: lockaccount flag in userAccountControl does not change
... Neither has explicit support for dealing with lockout though. ... The IADsUser interface in ADSI attempts to support it, ... checks to see if lockoutTime has a value or not and assumes the account is ... For more information on unlock, ...
(microsoft.public.windows.server.active_directory)
Re: ss2000 account lockout
... Either wait for the lockout duration or have an admin unlock ... Once the AD account is unlocked you can authenticate to ... automatic lockout of a login after too many failed login attempts. ...
(microsoft.public.sqlserver.security)