Re: TimeOut Script for OWA

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

No, I hadn't done the force update ... did a restart this morning though
after seeing the message. As Larry says there is nothing not much that can
be done... I understand this part.

Also I misinterpreted the results as well. I saw the message this morning
in the admin report-but didn't read the date. Looks like the entire change
worked as expected. This other one caught my eye because of the number of
attempts. Is there a way to set a timeout on the site when the wrong name is
used more than 3 or 4 times? That would be a nice feature - not good for
everyone because people mistype names and don't want the timeout. Still, I'd
like that for security reasons.

All is well though:
When I log into the site there is a message (just not a timeout as I thought
might be the case).

"The user name or password is incorrect. Verify that CAPS LOCK is not on,
and then retype the current user name and password. If you receive this
message again, contact your system administrator to ensure that you have the
correct permissions to use the Remote Web Workplace."


--
Regards,
Jamie


"Merv Porter [SBS-MVP]" wrote:

After you changed the group policy, from a command prompt did you run:
gpupdate /force to apply the changes?
Did you test the policy change with a test domain user account?

--
Merv Porter [SBS-MVP]
============================

"thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F91E5990-7825-44F7-91EC-7C6C2123355E@xxxxxxxxxxxxxxxx
Apparently it did not work:
Source Event ID Last Occurrence Total Occurrences
Security 529 1/10/2009 7:40 AM 2,040 *


Logon Failure:
Reason: Unknown user name or bad password
User Name: aloha
Domain:
Logon Type: 3
Logon Process: Advapi


--
Regards,
Jamie


"Cliff Galiher" wrote:

Since Merv said his knowledge of group policy is limited, I thought I'd
chime in and confirm his explanation. :) In most "normal" setups, you
don't need to mess with the enforced option. You should not 'enforce' a
policy unless you have a very compelling reason to do so (aka have a very
large organization with multiple sites and forests..) ;)

-Cliff


"Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in message
news:#5MeQW2cJHA.3520@xxxxxxxxxxxxxxxxxxxxxxx
GPO Exceptions: Enforce and Block Inheritence
http://grouppolicy.editme.com/EnforceBlock

My knowledge of Group Policy is limited, but I believe the "Enforced"
flag
on a GPO overrides any 'conflicting' GPO settings that you might have
created previously or might create later. This may not be desirable,
so
the default is to not flag the GPO as "Enforced". As long as the GPO
is
'defined' (as it is by default with SBS as witnessed by the existence
of
the Small Business Server Lockout Policy GPO link), it should be
applied
to users and/or computers even though it is not flagged as "Enforced".

--
Merv Porter [SBS-MVP]
============================


"thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6E2AD6CA-6753-4FA4-948C-EB0D0C6FC5B3@xxxxxxxxxxxxxxxx
Thanks Merv,

I changed it from the default of 50 to 10. Oddly there is a place
lower
in
the forest where Small Business Server Group Policy shows a four tab
view
of
the policy. In the "Scope" tab, there is a place where the word
"Enforced"
shows up and it lists " as "No" fior enforced. Does this mean that no
matter
what the policy is, it will not be enforced? It would appear from the
log
that 50 attempts were made for each user name and the attempts were
run
using
about 100 different login names (the last was "aloha" - someone has a
sense
of humor. I am wondering if the hacker just tries only 50 attempts
knowing
that the lockout sits at 50 or if the policy was enforced and they
actually
reached 50 attempts, failed, and started with a new user login?

In not, I expect there is a way to enable that enforcement?
--
Regards,
Jamie


"Merv Porter [SBS-MVP]" wrote:

You can try modifying your default settings for account lockout...

+++ Back up your current group policies BEFORE you attempt to modify
anything.
-------------------------------------------------
+ To create a backup of all Windows SBS 2003 Group Policy objects
+ Click Start, and then click Server Management.
+ In the console tree, click Advanced Management, double-click Group
Policy
Management, double-click Forest: <domainname>, double-click
domainname,
right-click Group Policy Objects, and then click Back Up All.
+ In the Back Up Group Policy Object dialog box:
+ Under Location, enter the name of the folder in which you want to
store
the backup of the GPOs.
+ Under Description, enter a description (for example, SBS GPOs) to
easily
identify the file that contains the backup.
+ Click Backup.
-----------------------------------------------


Modify Account Lockout Policies
-----------------------------------------------
NOTE: This will apply to all accounts, and to both internal (LAN)
and
external logons. As such, it will not be limited to OWA logins.

+ Log on as a member of the Domain Admins security group.
+ Open Server Management.
+ In the console tree, click Advanced Management, right-click Group
Policy
Management, and then click Add forest.
+ In the Add forest dialog box, enter the domain name. When prompted
Do
you
want to add this forest with this domain?, click Yes.
+ In the console tree, under Group Policy Management, click
Forest:forestname, click Domains, right-click Small Business Server
Account
Lockout Policy, and then click Edit.
+ In Group Policy Object Editor, click Computer Configuration, click
Windows Settings, and then click Security Settings.
+ Under Security Settings, click Account Policies, and then click
Account
Lockout Policy.
+ In the details pane, double-click each of the following policies,
and
modify settings as needed: Account lockout duration, Account lockout
threshold, and Reset account lockout counter after.
+ Click Apply, click OK, and then close Group Policy Object Editor.
+ Close Group Policy Management.
-----------------------------------------------

--
Merv Porter [SBS-MVP]
============================

"thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7DBDB3ED-452A-4397-B72A-1E928664375F@xxxxxxxxxxxxxxxx
Someone figured out a way to hit my Web server logon
(https://myserver.com/remote) server at a rate of about 2 times per
second
this morning. I thought the login was supposed to timeout. Where
can I
set
it so that the login policy is stricter? I see no reason why there
should
be
a need to try to logon more the about 5 times under any one given
login
name.
How can I fix it to work this way?
--
Regards,
Jamie









.

Relevant Pages

  • Re: Group Policy question
    ... I was wondering why my Group Policy Help section would have directed ... Steve, I asked a question, which is just under this one about an account ... I do know to not mess with the registry ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Group Policy question
    ... Thans to all who responded to my question about group policy and how to ... I do know to not mess with the registry ... able to use it to some degree to lock down the limited account I created I ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Event 1202s
    ... Q260715 - A conflict in Group Policy can cause these events to occur. ... error messages can occur if the "Rename Administrator Account" security ... policy is enabled and then set to an account name that is already in use. ...
    (microsoft.public.win2000.group_policy)
  • Re: Intermittant GPO failure to apply
    ... If you have backup your group policy before, you can restore it from the ... 244474 How to force Kerberos to use TCP instead of UDP in Windows Server ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Set GPO for specific user group
    ... Click on the domain name in Group Policy Management, select the GPO and then click the arrow to the left to move it to the top of the list ... Filtering: Denied ...
    (microsoft.public.windows.server.sbs)