Al,
Thank you for your response, I will try to elaborate, but first,
let me
start by saying that I was not invited to participate in this application's
selection, testing, or acceptance. One day it just showed
up.
That said ...
The software we use for VOIP uses its own db for storing messages.
It was supposed to be AD aware. It's not. It is (barely) LDAP
aware. I've found that when a user checks their voice mail (after
they enter in their pass code) the program only checks to see if their AD
account is enabled or disabled.
We do have a password policy that does exactly what you describe (locks
users out for some period of time after x invalid attempts). We have also
given the senior Help Desk staff the ability to unlock an account under
certain circumstances.
We have some (a couple hundred) accounts that exist to handle the
section or group vm for those areas where individuals that share a phone
number. These, I have identified and developed methods that prevent them
from being used as login accounts. I have also found that there are
users that do not have a computer and never use a computer, but they have vm
enabled on their phone. We also have users that take sabbaticals for 6
months to a year. It is these last two groups I was hoping to address with
setting the UAC account lockout. Politically I can not disable the
accounts. I have tried to add the accounts to the permanent lockout list
which works, but when the last groups returns it takes time for us to
remove them from the list. Again politically
unacceptable.
This makes us having the ability to set the account lockout very
appealing. What I was looking for was a way to set the lockout bit.
It was previously explained that the bit can not be set directly, but that by
setting the lockoutTime to some non-zero value the account is locked (though
I've found that the bit is not always set). My current research and
testing is moving along that path.
David Aragon
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, August 21, 2006 6:33 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] UAC QuestionThis part troubles me:"(for example it will prevent a user from logging
into a system, but not prevent them from getting their voicemail)."Can you expand on that? To my thinking, if the account is locked out, then the user should not be able to use it. Period. End of story. No exceptions. Locked out functionality is there as a precaution to prevent misuse of the identity (ok, account.) Why would you want to subvert that? What benefit that cannot be achieved in another manner?Again, to my way of thinking, there is no reason you would ever want to mess with it in your day to day. A better option would be to set it to automatically clear after a certain period which would prevent hackers, crackers, and script kiddies (side note: set it to something that would cause a cracker to take longer to realistically crack than the password change cycle) from obtaining the passwords of the accounts. For example, .5 hours lockout after x number of attempts means that for every x number of attempts, anyone trying to programmatically trying to guess passwords would have to pause for .5 hours before resumption. If you have hundreds of thousands of possible passwords and combinations, that can make the time to crack longer than the password change interval if you design it that way.My initial take on this is that you're trying to do something and that there's a better/more supported way to accomplish it.Am I missing something?
On 8/2/06, David Aragon <[EMAIL PROTECTED]> wrote:http://support.microsoft.com/kb/305144/ discusses the various property flags
for the UserAccountControl (UAC). I have tried to set different flags using
LDP, ADSIEdit, and _vbscript_. One flag in particular is giving me a lot of
grief, LOCKOUT. I can clear the bit, but can not set it. This is useful to
set for a number of reasons (for example it will prevent a user from logging
into a system, but not prevent them from getting their voicemail).
Is this normal? Can it be set and if so, how? Is it dependent on other
settings (ex. lockoutTime) to be set to remain set?
David Aragon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
