|
Posted by =?Utf-8?B?Ym0=?= on August 30, 2007, 6:36 am
If you were Registered and logged in, you could reply and use other advanced thread options
this -- I guess not. I'll have to revert to doing a little scripting.
Thanks again!
"Roger Abell [MVP]" wrote:
> > My apologies if I'm not posting in the correct newsgroup. My question is
> > if
> > there's a way to set up a security policy on Windows 2003 DC which is
> > lockout
> > or disable a user that dosn't log into the domain for a specified amount
> > of
> > time. For example a user that hasn't logged into the domain for 30 days
> > will
> > be locked out???
> >
>
> Not built-in, however something close would not be impossible to implement.
>
> One point however, lockout is usually a temporary account state triggered
> by invalid login attempt, and lockout duration (or its being non-temporary)
> may only be set the same of all accounts of the domain.
>
> I think you were perhaps meaning disable the account after non-use for
> so long. You would need to determine, such as in a script or your in-use
> enterprise mgmt suite, which accounts have not logged in for 30 days.
>
> This might not be as simple as it sounds as the last login timestamps do
> not reflect all valid authenticated uses of an account. Attempting to use
> event logs to fill this gap would imply logging of successful domain logins
> (which is often not enabled due to the huge volume of events generated)
> and would mean monitoring/reading the security logs on all DCs.
>
> That said, if you can define a satisfactory determination logic, disabling
> the so determined account is trivial/simple such as run in a nightly task.
>
> Perhaps your more direct option would be to adjust the days of nonuse
> and password change intervals so they are the same, and then nightly
> read accounts with expired passwords and verify they are disabled.
>
> Roger
>
>
>
| 
XML site map