Thanks Joe, That was what I was getting at.... I was looking for the supporting documentation I had to back my claim up. We learned this lesson the hard way here. 9x boxes getting compromised and then enumerating the AD and banging against crap, doesn't take long to hit the threshold if the number is set to low.
Now if it is a pure 2K3 and XP environment, I don't know what I would do. Everything would just work, and I would be the Maytag repairman. Toddler -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 8:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password Policy Try a net use connection with a bad password. That should generate the double bad. Also if you have any Win9x, they can do up to three bad auths during interactive logons for every single attempt. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Friday, October 03, 2003 11:41 AM To: [EMAIL PROTECTED] Todd, I was curious about your double-counting statement below and tried to test this in our lab. I wanted to make sure we set our account lockout policy properly when we implement and had not heard about this double-counting before. We're running Server 2003 and the domain's in server 2003 mode. There are two DCs in the domain and two sites defined with one DC per site. 1. I set the default domain GPO to lockout on 6 invalid logins. 2. I set the default domain controller policy to audit success and failure for logon events and account logon events. 3. I set up a domain admin account to use for testing. 4. From my workstation, which is a member of the test domain I attempted to log on 6 times using incorrect passwords and monitored the security log on the DC in my site. 5. I saw six 675 failure events generated followed by the 644 lockout event. I didn't see anything to indicate that the bad password resulted in double-counting of the Kerberos and NTLM logon attempts. Perhaps using an incorrect password results in a return code from the DC that the client recognizes as a password issue and hence doesn't try NTLM? Is there something that I set up incorrectly or tested incorrectly? I'm not sure how to mimic a failed Kerberos authentication attempt that would then result in an NTLM attempt so perhaps that's what I'm missing? Thanks, Mike "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]>@mail.activedir.org on 10/02/2003 02:44:20 PM Please respond to [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] Password Policy You are correct, your company passwords would expire. The solution I suggest is to crack all the passwords, then reset the original password to each account to reset expiration. Then implement the Domain Account policy again. Also remember that NTLM and Kerberos authentications count double. So if you client has problems with authentication it will try Kerberos then NTLM and a single bad logon counts twice. So 10 bad password attempt really means 5 within the limited time frame you set. Todd -----Original Message----- From: Travis Riddle [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:09 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Policy I made a slight error when creating a group policy, and now need some advice on how to fix it. Hopefully some one will be kind enough to help out. I have a single domain with 2 sites. I created a Default Policy for the entire domain with fairly minimal settings (such as password policy, proxy settings and a few IE settings). Our manufacturing facility is our largest site, and our corporate offices is significantly smaller, so instead of applying one policy several times I set block policy inheritance for the corporate OU (so they wouldn't get the Proxy and IE settings). I then set password settings on the separate corporate OU. Well, I guess I didn't realize at the time that you could only have one password policy for the domain, so basically they haven't had to change their passwords for some time now. So here is the problem, I need to enable the password policy for corporate, but if I do I think it will immediately expire their passwords (since they are well over 90 days old). Is my thinking wrong here, and is there a way around this or am I going to have to call the corporate guys and have them manually change their passwords? Any ideas? Your suggestions are much appreciated, Thanks, Travis List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ******************* PLEASE NOTE ******************* This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
