Announcement

Collapse
No announcement yet.

Password And Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Password And Policy

    I have a domain setup on a Windows 2003 server with all the latest patches.

    The issues I am having is all users accounts that log into the domain their passwords are configured through Group Policy to set the complexity and, leginth etc. When the password expires and the user has to create a new passwrod all is fine.

    Here is the issues. After password has been changed to the new password. The user can try the old password 5 times which it fails but the account will not lock. All though it does not allow the user on the domain it does not lock the account.

    What I have tested was trying a password that has never been used and after 5 tries it locks the account.

    I created a new OU for testing, created one account for that OU and created a Group Policy for that OU and set the password policy an so forth. When logging into the account that is in the test OU I still get the same issue. The old password that has expired or has been changed to a new password the old password no matter how many failed attemps does not lock the user account but if I put in a totaly diffrent password that hase never been used before (lets just say I just use 8888 or whatever) the account will lock.

    This would not normal be an issues but my cleint has auditors that what this changed to lock the account so I'm stuck and can't find any info on this problem.

    Thanks
    H

  • #2
    Re: Password And Policy

    Password policy before 2008 native domain (as in 2000/2003): Only one password policy can exist and in should be on default domain policy.

    "Settings in the Account Lockout and Password Policy nodes of the Default Domain policy settings enable account lockout and control how account lockout operates"
    http://technet.microsoft.com/en-us/l...60(WS.10).aspx

    "In Microsoft® Windows® 2000 and Windows Server® 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain. These policies were specified in the Default Domain Policy for the domain."
    http://technet.microsoft.com/en-us/l...94(WS.10).aspx
    Regards,
    Leonid

    MCSE 2003, MCITP EA, VCP4.

    Comment


    • #3
      Re: Password And Policy

      Originally posted by venom83 View Post
      Password policy before 2008 native domain (as in 2000/2003): Only one password policy can exist and in should be on default domain policy.

      "Settings in the Account Lockout and Password Policy nodes of the Default Domain policy settings enable account lockout and control how account lockout operates"
      http://technet.microsoft.com/en-us/l...60(WS.10).aspx

      "In Microsoft® Windows® 2000 and Windows Server® 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain. These policies were specified in the Default Domain Policy for the domain."
      http://technet.microsoft.com/en-us/l...94(WS.10).aspx

      I got this part but my issues is. After 60 days all users have to change their password. My GPO is setup to remember 5 old passwords.

      1. After 60 days user changes their password.
      2. GPO remembers 5 old passwords.
      3. If the user types one of the old passwords more than 5 times the account "does not" lock but it should lock..
      4. If the users type the new password wrong 5 times the "account locks".

      This is were I'm stuck. Why are the old remembered passwords not locking after 5 failed tries but any other password used will lock the account?

      Comment


      • #4
        Re: Password And Policy

        Old password not locking the account during "password change" window or even after?
        Regards,
        Leonid

        MCSE 2003, MCITP EA, VCP4.

        Comment


        • #5
          Re: Password And Policy

          Originally posted by venom83 View Post
          Old password not locking the account during "password change" window or even after?

          That's right. After the users changes their password they can use their old password as manytimes as they like and it will not lock the account. But if they mispell their new password 5 times it locks the account.

          It seems to be keeping the old passwords cashed somehow and when the old password is used it won't lock the account. All thought the old password do not lwet the users on the domain it still should locek the account.

          Comment


          • #6
            Re: Password And Policy

            I'm not familiar with such behavior.
            I'll give it a try in the lab and update.
            Regards,
            Leonid

            MCSE 2003, MCITP EA, VCP4.

            Comment


            • #7
              Re: Password And Policy

              Originally posted by venom83 View Post
              I'm not familiar with such behavior.
              I'll give it a try in the lab and update.

              Have you had any luck with this issue?

              Comment


              • #8
                Re: Password And Policy

                Yep, just did it.
                You are absolutely right: apparently, old passwords that AD remembers cannot lock the user account. I was able to reproduce this behavior on AD versions 2003 and 2008 R2. Not just the last password: I tried a few last used and all that AD "remembers" did not lock out the account.

                But it's a good thing, no? If your user tries different passwords that he used recently, it's shouldn't worry you or cause extra support desk calls.
                Regards,
                Leonid

                MCSE 2003, MCITP EA, VCP4.

                Comment


                • #9
                  Re: Password And Policy

                  Originally posted by venom83 View Post
                  Yep, just did it.
                  You are absolutely right: apparently, old passwords that AD remembers cannot lock the user account. I was able to reproduce this behavior on AD versions 2003 and 2008 R2. Not just the last password: I tried a few last used and all that AD "remembers" did not lock out the account.

                  But it's a good thing, no? If your user tries different passwords that he used recently, it's shouldn't worry you or cause extra support desk calls.

                  One of our large client's has a SOX audit and the Audit needs for the account's to lock no matter what. So I'm kind of stuck and need to find a way to get this to work.

                  Comment


                  • #10
                    Re: Password And Policy

                    Hurray! It's a documented feature. Found it.
                    http://technet.microsoft.com/en-us/l...71(WS.10).aspx
                    "Password history check (N-2): Before a Windows Server 2003 operating system increments badPwdCount, it checks the invalid password against the password history. If the password is the same as one of the last two entries that are in the password history, badPwdCount is not incremented for both NTLM and the Kerberos protocol. This change to domain controllers should reduce the number of lockouts that occur because of user error."

                    So if you need to prevent this feature from working, I see only one solution: disable password history. But if you ask me, it will do more harm than good.
                    Think about it: if I am a legitimate user, I will eventually remember my password after trying the old one. If I am a malicious user that knows previous password for the account I'm trying to hack, entering the old password 70 times will not get me anywhere. So, I think it's better to present this argument to the SOX guys, now that you know exactly why this is happening. If they insist, ether contact MSFT for a solution or turn off password history.
                    Regards,
                    Leonid

                    MCSE 2003, MCITP EA, VCP4.

                    Comment


                    • #11
                      Re: Password And Policy

                      Nice man very nice.. I knew there was something out there but I caould not find if, man I harte racking my brain over something like this. I'll try it out and see what issues I run into with this client. Thats is a good argument for me to have with SOX but they can be pretty tough..


                      Originally posted by venom83 View Post
                      Hurray! It's a documented feature. Found it.
                      http://technet.microsoft.com/en-us/l...71(WS.10).aspx
                      "Password history check (N-2): Before a Windows Server 2003 operating system increments badPwdCount, it checks the invalid password against the password history. If the password is the same as one of the last two entries that are in the password history, badPwdCount is not incremented for both NTLM and the Kerberos protocol. This change to domain controllers should reduce the number of lockouts that occur because of user error."

                      So if you need to prevent this feature from working, I see only one solution: disable password history. But if you ask me, it will do more harm than good.
                      Think about it: if I am a legitimate user, I will eventually remember my password after trying the old one. If I am a malicious user that knows previous password for the account I'm trying to hack, entering the old password 70 times will not get me anywhere. So, I think it's better to present this argument to the SOX guys, now that you know exactly why this is happening. If they insist, ether contact MSFT for a solution or turn off password history.

                      Comment

                      Working...
                      X