Remote Laptop Account Lockouts

Microsoft Access
Microsoft Windows
Patch management
SQL Server
We use a draconian policy of 3 logon attempts before lockout, no reset, lockout forever, and force this to all devices connected to W2K domain. When laptops are used remotely, users being users invariably lockout their account and then either have to bring it back to be unlocked, or support visits to unlock. How can we give them a local admin account to use for unlocking without allowing them to log on locally when connected to the domain, and abusing the admin rights while connected to the domain, i.e. viewing $ shares? Thanks for your help.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Open the user/group admin applet and set the administrator password on the local machine to something different than whatever you use on your domain. Set the password to not-expire, and you can provide it to the user when they call in for help, or just make it available – depends on your local policies.


Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Rsg259
    Thanks Bobk, the issue is not really about giving them access to an admin account to unlock the laptop when used remotely, it is more about them being able to use that account when they join the domain, and by using the local admin account having elevated priveleges and abusing 'admin' access to other shares etc. Most of the laptops are used both on the domain and locally for homeworking etc, and I am concerned that users will let curiosity get the better of them to see what they can achieve will using the 'remote' admin account. Rsg
    0 pointsBadges:
  • Amigus
    The local Administrator account like any other local account has no privilege in the domain. If a user logs on to the local Administrator account while connected to the domain and attempts to access anything they'll be prompted for (domain) logon credentials therefor your concern is invalid. I strongly suggest raising the lockout-out threashold. The purpose is to prevent password cracking not to increase help-desk calls. Even with 8 character passwords having a lock-out count of 10 tries with a reset after 5 minutes will offer just as much security and probably eliminate the help-desk calls. Is there any good reason it's set that low to begin with?
    0 pointsBadges:
  • DarrenAdministartor
    i think people are missing your point, when the laptop is at the office and able to connect to the domain, the user would still be able to select to logon to the local administrator account. But i dont see that this will cause you any harm other than what they can do to the laptop itself, seeing as they will not be logged onto the domain, and have no privilges over it, and not hjave any access to resources on it.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: