Remote Laptop Account Lockouts
Access, Desktops, Management, Microsoft Windows, OS, Patch management, Security, Servers, SQL Server
We use a draconian policy of 3 logon attempts before lockout, no reset, lockout forever, and force this to all devices connected to W2K domain. When laptops are used remotely, users being users invariably lockout their account and then either have to bring it back to be unlocked, or support visits to unlock.
How can we give them a local admin account to use for unlocking without allowing them to log on locally when connected to the domain, and abusing the admin rights while connected to the domain, i.e. viewing $ shares?
Thanks for your help.
Software/Hardware used:
Software/Hardware used:
ASKED:
September 13, 2005 11:26 AM
UPDATED:
September 14, 2005 9:39 AM
Answer Wiki:
Open the user/group admin applet and set the administrator password on the local machine to something different than whatever you use on your domain. Set the password to not-expire, and you can provide it to the user when they call in for help, or just make it available - depends on your local policies.
Bob
To see all answers submitted to the Answer Wiki: View Answer History.
Thanks Bobk, the issue is not really about giving them access to an admin account to unlock the laptop when used remotely, it is more about them being able to use that account when they join the domain, and by using the local admin account having elevated priveleges and abusing ‘admin’ access to other shares etc. Most of the laptops are used both on the domain and locally for homeworking etc, and I am concerned that users will let curiosity get the better of them to see what they can achieve will using the ‘remote’ admin account.
Rsg
The local Administrator account like any other local account has no privilege in the domain. If a user logs on to the local Administrator account while connected to the domain and attempts to access anything they’ll be prompted for (domain) logon credentials therefor your concern is invalid.
I strongly suggest raising the lockout-out threashold. The purpose is to prevent password cracking not to increase help-desk calls. Even with 8 character passwords having a lock-out count of 10 tries with a reset after 5 minutes will offer just as much security and probably eliminate the help-desk calls. Is there any good reason it’s set that low to begin with?
i think people are missing your point, when the laptop is at the office and able to connect to the domain, the user would still be able to select to logon to the local administrator account. But i dont see that this will cause you any harm other than what they can do to the laptop itself, seeing as they will not be logged onto the domain, and have no privilges over it, and not hjave any access to resources on it.