Enable/disable vs. lock/unlock account

Wodan

What are the differences and effects of disabling an account compared to locking an account? Trying to differentiate between the two. Thanks

RTmarc

Enable/disable is like putting the light bulb in the socket or pulling it out. Locking and unlocking is like turning the light on and off.

If you disable an account it won't work period. Doesn't matter what they have access to, whether or not the account is locked out, of if they've taken a bath. It simply won't work until you enable it (screw in the light bulb -> You can flip the switch on or off but without the lightbulb being screwed in, it won't work)

An account locked out is typically only when someone has tried the password too many times or there have been too many failed attempts at authentication. Just unlock the account and they are good to go. (light bulb is in the socket, now just turn the switch on).

Webmaster

You can manually disable and account, so it cannot be used for logon purposes, but locking occurs automatically when a user exceeds the maximum number of logon attempts (by submitting incorrect passwords).

Edit:
<-- types slowly

Wodan

ok catching on. So lock out is caused by a trigger(such as invalid log on attempts) where as disabling an account is a admin function. Can an admin Lock an account?

sprkymrk

Wodan wrote:

ok catching on. So lock out is caused by a trigger(such as invalid log on attempts) where as disabling an account is a admin function. Can an admin Lock an account?

Nope. An admin can disable an account, but not lock. As mentioned, lockouts occur when the preconfigured number of failed login attempts is met.

Webmaster

Wodan wrote:

Can an admin Lock an account?

The locked option on the account properties is a check box that can only be 'unchecked' to unlock the account. If the account is not locked (by exceeding login attempts) the check box will be disabled, hence you cannot 'enable the lock'. So an admin would use the disable account option instead.

Sie

Nope. An admin can disable an account, but not lock. As mentioned, lockouts occur when the preconfigured number of failed login attempts is met.

Technically an Admin can lock an account but there is no reason/situation why they would do this.

As mentioned above lock out is normally from a trigger.

Disable is used when an account is not needed (rather than deleting) or not going to be used for a long period of time.

[Edit - Types slower than webmaster]

sprkymrk

Sie wrote:

Nope. An admin can disable an account, but not lock. As mentioned, lockouts occur when the preconfigured number of failed login attempts is met.

Technically an Admin can lock an account but there is no reason/situation why they would do this.

As mentioned above lock out is normally from a trigger.

Disable is used when an account is not needed (rather than deleting) or not going to be used for a long period of time.

No, technically he can't. There is no option for that, he can disable - not lock.

On the other hand, technically, anyone can lock anyone's account. I'll just try to log in as user:Sie several times with incorrect passwords. That will lock you out. But that doesn't take an admin, just a low tech DOS attack.

SWM

I was asked to immediatley prevent a user from accessing a W2003 domain network by my boss as the user had been sacked. My boss wanted to prevent the user deleting files etc etc.

I disabled the account in "AD users and computers" and then in Computer managment, Sessions right mouse clicked and selected "close session". I assumed that this would prevent access. But be warned the user was still able to open files on the server, access Outlook and emails in exchange, send receive email etc. Once she logged off the account was disabled but i was amazed that even though the Domain controller had no record of a active session it still allowed access to the server.

I remember back with Novell 3.12/4.11 that if the Admin hit "del" on a users session, they where dead in the water.

Food for thought and beware

Stephen

Sie

sprkymrk wrote:

No, technically he can't. There is no option for that, he can disable - not lock.

On the other hand, technically, anyone can lock anyone's account. I'll just try to log in as user:Sie several times with incorrect passwords. That will lock you out. But that doesn't take an admin, just a low tech DOS attack.

Depends what your using to administer the accounts, Granted you cannot "tick" the unlock account check box to "lock" someones account within AD Users & Comps but some of the admins where i work use Bindview to administrate and you can lock from there.

I wrote my answer before checking what context / application we were talking about doing this from, plus it wouldnt be asked about in a M$ exam as it is third party software.

So to clarify after my confusion, admins cannot lock an account without using the addition of a third party application.

sprkymrk

Yes, you've got. From an MS (and test) point of view you cannot "lock" an account. There is third party software that may use the term "lock", but I don't know without seeing it if it's actually "locking" their account or disabling it from an ADUC point of view.

sprkymrk

SWM wrote:

I was asked to immediatley prevent a user from accessing a W2003 domain network by my boss as the user had been sacked. My boss wanted to prevent the user deleting files etc etc.

I disabled the account in "AD users and computers" and then in Computer managment, Sessions right mouse clicked and selected "close session". I assumed that this would prevent access. But be warned the user was still able to open files on the server, access Outlook and emails in exchange, send receive email etc. Once she logged off the account was disabled but i was amazed that even though the Domain controller had no record of a active session it still allowed access to the server.

Stephen

There are a couple of things you can do here, which I have done on the few occasions where a user has been let go and the account needs to be disabled immediately.

The main things I do after disabling their account are as follows:
1. Force a log off - not just close their sessions, but actually force a logoff from their computer remotely. You can do this with the "shutdown.exe" command or within Computer Management. That gets them off the network "right now".
2. Remove the user account from all group memberships.
3. Remove the user account from explicit permissions on their home share.
4. Using Exchange 5.5 (this is probably not necessary in E2K or higher) remove the user account from the mailbox permissions.
5. This step needs to be done in advance, but you can set the "Number of previous logons to cache" to 0, instead of the default 10. This way they cannot unplug the LAN cable from their workstation and log in with a cached profile to access stuff on the local computer.

Hope that helps. Take care!

RTmarc

Back in the old NT 4 days an Admin could lock someone out; and sometimes it serves as good punishment for someone being an ass to the IT dept.

Sie

Try an OU of Doom within 2003.

OU with Extreme Group policies in effect.

They be an ass chuck their comp and user id in the OU of DOom for a few weeks see how they quiet down after!

SWM

Thanks for the reply's. I think the OU of DOOM is the winner.