locked
Logon Workstations setting question RRS feed

  • Question

  • We have a situation where an account is having a brute force attack and keeps locking out the account.  For a mulittude of reasons that I won't go into here, blocking where this is coming from is not possible.  So, what I was wondering was, if we set the Log on To to only the workstation that this user should be logging into would this keep the account from getting locked out?

    I'm wondering if the authentication occurs first and then the check to see if there is a limit on the workstation or if the check for the workstation comes first.   My bet is that it isn't going to keep the account from being locked out.

    Any thoughts?

    Thanks

    John

    Friday, May 20, 2011 3:03 PM

Answers

  • I just tried and the account was not locked out. My domain is configured to lockout after 5 bad attempts, but when I tried 10 times to logon with a bad password on a workstation not in userWorkstations, I got messages about not allowed to use this workstation, try again elsewhere. After 10 attempts, I was not lockout out and could logon to another workstation I was configured to use (with the correct password).

     


    Richard Mueller - MVP Directory Services
    Friday, May 20, 2011 3:24 PM
  • If you are login to domain, prior to user, system account authentication takes place which compares the encrypted machine account password from the DC & then users authentication takes place on entering his/her credentials while pressing enter button.

    You set the user logon to workstation in AUDC that is just interactive logon, what about other logon such as Network logons if a user browses a network share, access the email server, runs an LDAP query or owa access etc, in this case lockout still happens.

     

    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, May 22, 2011 5:19 AM

All replies

  • We have a situation where an account is having a brute force attack and keeps locking out the account.  For a mulittude of reasons that I won't go into here, blocking where this is coming from is not possible.  So, what I was wondering was, if we set the Log on To to only the workstation that this user should be logging into would this keep the account from getting locked out?

    I don't think it will stop being locked like that. You have try it in a test environment.

    You have to identify the source and check what is going on.

    It is possible that you have an application / service running with this user account with a wrong password.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

    Friday, May 20, 2011 3:12 PM
  • I suspected that it wouldn't solve the problem but I wanted to confirm ... I'll test it out.

     

    - John

    Friday, May 20, 2011 3:23 PM
  • I just tried and the account was not locked out. My domain is configured to lockout after 5 bad attempts, but when I tried 10 times to logon with a bad password on a workstation not in userWorkstations, I got messages about not allowed to use this workstation, try again elsewhere. After 10 attempts, I was not lockout out and could logon to another workstation I was configured to use (with the correct password).

     


    Richard Mueller - MVP Directory Services
    Friday, May 20, 2011 3:24 PM
  • Interesting discussion...rather than trying to lockout the user from a another workstation, have you tried to lock out the user using the net use command to connect to a share with a bad password?

     


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, May 20, 2011 3:31 PM
  • If you are login to domain, prior to user, system account authentication takes place which compares the encrypted machine account password from the DC & then users authentication takes place on entering his/her credentials while pressing enter button.

    You set the user logon to workstation in AUDC that is just interactive logon, what about other logon such as Network logons if a user browses a network share, access the email server, runs an LDAP query or owa access etc, in this case lockout still happens.

     

    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, May 22, 2011 5:19 AM
  • Richard's findings are accurate - which answers your question. Note that this applies to interactive logons only...

    hth
    Marcin

    Sunday, May 22, 2011 11:17 AM