This part troubles me:
"(for example it will prevent a user from logging
into a system, but not prevent them from getting their voicemail)."
into a system, but not prevent them from getting their voicemail)."
Can you expand on that? To my thinking, if the account is locked out, then the user should not be able to use it. Period. End of story. No exceptions. Locked out functionality is there as a precaution to prevent misuse of the identity (ok, account.) Why would you want to subvert that? What benefit that cannot be achieved in another manner?
Again, to my way of thinking, there is no reason you would ever want to mess with it in your day to day. A better option would be to set it to automatically clear after a certain period which would prevent hackers, crackers, and script kiddies (side note: set it to something that would cause a cracker to take longer to realistically crack than the password change cycle) from obtaining the passwords of the accounts. For example, .5 hours lockout after x number of attempts means that for every x number of attempts, anyone trying to programmatically trying to guess passwords would have to pause for .5 hours before resumption. If you have hundreds of thousands of possible passwords and combinations, that can make the time to crack longer than the password change interval if you design it that way.
My initial take on this is that you're trying to do something and that there's a better/more supported way to accomplish it.
Am I missing something?
On 8/2/06, David Aragon <[EMAIL PROTECTED]> wrote:
http://support.microsoft.com/kb/305144/ discusses the various property flags
for the UserAccountControl (UAC). I have tried to set different flags using
LDP, ADSIEdit, and _vbscript_. One flag in particular is giving me a lot of
grief, LOCKOUT. I can clear the bit, but can not set it. This is useful to
set for a number of reasons (for example it will prevent a user from logging
into a system, but not prevent them from getting their voicemail).
Is this normal? Can it be set and if so, how? Is it dependent on other
settings (ex. lockoutTime) to be set to remain set?
David Aragon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
