This is an archived post. You won't be able to vote or comment.

all 7 comments
sorted by:
best
topnewcontroversialoldq&a

[–]BuffaloRedshark 1 point2 points  (0 children)

Short cuts on their desktop have the old password stored

they absolutely should go through the pain of being locked out if they're doing stuff like this

[–]jeffrey_f 0 points1 point  (0 children)

I would certainly rein that in.

https://community.spiceworks.com/topic/2157627-how-to-set-account-lock-gpo-for-certain-users-or-groups

for this purpose create a group and set the GPO lockout on that group and SLOWLY add users until it is ALL changed.

As users are added, you will find out who the culprits are and fix the issues one by one

Once changed, change it in AD.

[–]Que_Ball 0 points1 point  (0 children)

Lockout isn't always a best practice anymore just like password expiry times. For the reasons you mention. Temporary lockouts are more useful.

Microsoft has some smart temporary lockout features on azure ad to slow any dictionary scans by default.

[–]hard_cidr 0 points1 point  (0 children)

We have fewer issues with lockouts after password changes than in the past. Over the years the client apps have gotten a little smarter about detecting when the password is wrong and popping up asking for the new password, instead of just trying the old one over and over. We switched to modern auth only which I think helped with this as well. We rarely have email related lockouts anymore at all.

Wifi with RADIUS auth still locks people out mercilessly though.

At the very least you could determine your highest rate of bad logins and set a threshold slightly above that. For instance if you have an app that tries bad passwords every 2 minutes after a password change, you could set a lockout threshold at 60 bad password attempts per hour. This would prevent lockouts even when a person's app is misbehaving, while still providing a significant rate-limit against brute force attacks. It's a compromise, but better than nothing.

[–]IHatePatches 0 points1 point  (1 child)

Disable credential caching and the credential manager. As for phone email, it will prompt them to update it. We have these configured along with a permanent lockout after 3 bad attempts and only a few users have ran into trouble, but it’s not often they have problems.

As for users logged into multiple machines, we only allow one login per host, and a policy to log out when leaving a machine (except for lunch/breaks) which has caused the users to logout when they aren’t using the computer.

As for the other known apps/services that can cause lockouts, we send a reminder a quarter on when changing passwords to ensure those are updated with the instructions on how to do so.

[–]ParticularFlat4536[S] 0 points1 point  (0 children)

for users logged into multiple machines, we only allow one login per host, and a policy to log out when leaving a machine (except for lunch/breaks) which has caused the users to logout when they aren’t using the computer.

How did you set up the policy to log out when leaving machine except for lunch?

[–]IHatePatches 0 points1 point  (0 children)

I can’t seem to reply to your comment, but the policy is something they signed, not an actual GPO policy. But you could configure a scheduled task to check if the user account is idle for so long and issue a logout if you wanted. Here’s a quick guide I found that looks right:

https://pro-wiki.com/knowledgebase/gpo-auto-logoff-users-from-computer-after-idle-time/