Security Basics mailing list archives

Re: Account Lockout

From: Kirk Schafer <infosec-capital () rainswept com>
Date: Tue, 19 Oct 2004 19:18:57 -0500

Ah. The short answer is: not without somehow involving an adminsitrator.

The right isn't available in MMC | Group Policy. If this is ActiveDirectory, check these:


"How to delegate the unlock account right"
 http://support.microsoft.com/?kbid=294952

"How to Grant Help Desk Personnel the Specific Right to Unlock LockedUser Accounts"

 http://support.microsoft.com/?kbid=279723

Failing that, another way to involve the administrator but not the usercould involve:

 Create a scheduled task that runs as administrator

Set the scheduled task to periodically run a script that looks for a"reset this user" flag.

 When that flag is found, the reset it executed and the flag is cleared.

Assigning the task to run as Admin means that you don't have to give thepassword out. Obviously, rights should be set to restrict access to allfiles involved, and the script hardened against invalid requests. Thetask will prompt for the admin password again if anyone tries to changeit. If you always know what user has to be reset, you could use a simplebactchjob that calls CHOICE to ask "reset account (y/n)".

A nuisance factor is that the task would have to be scheduled fairlyfrequently to be effective. A couple of ways to start tasks on demand(say, from a shortcut) are:


Windows Server 2003:
 http://support.microsoft.com/?kbid=814596

Windows 2000:

http://www.microsoft.com/downloads/details.aspx?familyid=601d75e2-f907-4e51-ad88-adb818df1d27&displaylang=en


Just an idea.

Kirk

Peter Rodger wrote:

Thanks for your reply.  The problem resides in my
envir. We can not use domain admin account as these
group work in other clients' office and they are not
in my domain.  They need to unlock one share local
user account (local computer, not domain user account)
in case the account is locked out.  But, they are only
power users.

Can they (power user) unlock this local user account
(on each local computer)?

Thanks,

Peter

<snip>

--
___________________________________________________
Kirk Schafer

Infosec Capital - Your Information Security Asset
308 East Broadway Ave, PO Box 1851
Fairfield, IA 52556
641-919-1783 (mobile)

http://www.infosec-capital.com

Current thread:

Account Lockout Peter Rodger (Oct 18)
- <Possible follow-ups>
- RE: Account Lockout Dubber, Drew B (Oct 19)
- Re: Account Lockout Peter Rodger (Oct 20)
  - Re: Account Lockout Kirk Schafer (Oct 20)