Al
Mon Sep 17 19:06:46 PDT 2007
"ThatsIT.net.au" <me@thatsit> wrote in message
news:FBFE4D60-3AD7-457F-BD7F-814D9D9190B8@microsoft.com...
>
> "Al Dunbar" <AlanDrub@hotmail.com.nospaam> wrote in message
> news:%23rCqy937HHA.1212@TK2MSFTNGP05.phx.gbl...
>> Nice solution. However, the practice of routinely unlocking locked
>> accounts would seem to ignore the possibility that someone is trying to
>> guess a user's password. A simpler and more elegant way to do that would
>> be to turn off the "disable account after x unsuccessful attempts"
>> functionality. If you find that too hard a pill to swallow because it
>> seems to go against the grain of system security principles, well, that
>> is exactly what you are trying to do here.
>>
>
>
> is this the same Al dunbar that like me scored a perfect 100 in the winter
> scripting games?
Yes it is.
> The idea of trying a guessing a password relies on millions of tries in a
> short amount of time, locking the account for even a few minutes after a
> few tries makes this task take a very long time. Sure someone may have a
> idea what the password is and only need a few tries, but then the security
> breach is more likely because of some other policy being loosely applied.
> In the wide world there are many different curcustances and some at least
> may need such a script.
Granted. But they should at least consider what the implications might be of
automating it, and look for simpler solutions. I understand that the
password locking policy can be tweaked to allow locked accounts to unlock
themselves automatically after the passage of an amount of time chosen
randomly between some minimum and maximum number of minutes. If that worked,
I think it would be, overall, a better solution.
/Al
> Alan Mosley
>
>
>
>
>>
>> /Al
>>
>> "ThatsIT.net.au" <me@thatsit> wrote in message
>> news:841520C3-C49B-40AC-831E-6D2384A6DE9E@microsoft.com...
>>> Here you go
>>>
http://dev.thatsit.net.au/Samples/WSH/thatsIT/ad/unlockUserAccount.asp
>>>
>>>
>>> <rossc@cattles.co.uk> wrote in message
>>> news:1188895171.855278.103460@19g2000hsx.googlegroups.com...
>>>> Hi there, hope someone can help me
>>>>
>>>> I know there are other issues, but short-term this is the problem!!
>>>>
>>>> I have a number of users locking accounts by incorrectly passing
>>>> credentials to a server. I need to be able to periodically sweep for
>>>> these locked accounts and unlock them - these are all local accounts.
>>>>
>>>> I have found a number of ways to identify them, but cannot find a way
>>>> to unlock them!
>>>>
>>>> For example
>>>>
>>>> ComputerName = localhost
>>>>
>>>> winmgmt1 = "winmgmts:{impersonationLevel=impersonate}!//"&
>>>> ComputerName &""
>>>> Set UserSet = GetObject( winmgmt1 ).InstancesOf ("Win32_UserAccount")
>>>> for each User in UserSet
>>>> if user.lockout = "True" then
>>>> ---what should go here???
>>>> end if
>>>> next
>>>>
>>>> Finds me the locked accounts, though seems to add some domain accounts
>>>> too....
>>>>
>>>> Code below finds only local accounts and gives me details, but how do
>>>> I check and fix locked this way?
>>>> strComputer = "bob"
>>>>
>>>> Set colAccounts = GetObject("WinNT://" & strComputer & "")
>>>> colAccounts.Filter = Array("user")
>>>>
>>>> For Each objUser In colAccounts
>>>> Set objUser = GetObject("WinNT://" & strComputer & "/" &
>>>> objuser.name)
>>>> Wscript.Echo objUser.Name
>>>> Next
>>>>
>>>> If it is easier, I do have powershell on this machine as welll
>>>>
>>>> Regards and thanks
>>>>
>>>> Ross Carr
>>>>
>>>
>>
>>
>