Enable/disable vs. lock/unlock account
Wodan
Member Posts: 13 ■□□□□□□□□□
What are the differences and effects of disabling an account compared to locking an account? Trying to differentiate between the two. Thanks
Comments
-
RTmarc Member Posts: 1,082 ■■■□□□□□□□Enable/disable is like putting the light bulb in the socket or pulling it out. Locking and unlocking is like turning the light on and off.
If you disable an account it won't work period. Doesn't matter what they have access to, whether or not the account is locked out, of if they've taken a bath. It simply won't work until you enable it (screw in the light bulb -> You can flip the switch on or off but without the lightbulb being screwed in, it won't work)
An account locked out is typically only when someone has tried the password too many times or there have been too many failed attempts at authentication. Just unlock the account and they are good to go. (light bulb is in the socket, now just turn the switch on). -
Webmaster Admin Posts: 10,292 AdminYou can manually disable and account, so it cannot be used for logon purposes, but locking occurs automatically when a user exceeds the maximum number of logon attempts (by submitting incorrect passwords).
Edit:
<-- types slowly -
Wodan Member Posts: 13 ■□□□□□□□□□ok catching on. So lock out is caused by a trigger(such as invalid log on attempts) where as disabling an account is a admin function. Can an admin Lock an account?
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□Wodan wrote:ok catching on. So lock out is caused by a trigger(such as invalid log on attempts) where as disabling an account is a admin function. Can an admin Lock an account?All things are possible, only believe.
-
Webmaster Admin Posts: 10,292 AdminWodan wrote:Can an admin Lock an account?
-
Sie Member Posts: 1,195Nope. An admin can disable an account, but not lock. As mentioned, lockouts occur when the preconfigured number of failed login attempts is met.
Technically an Admin can lock an account but there is no reason/situation why they would do this.
As mentioned above lock out is normally from a trigger.
Disable is used when an account is not needed (rather than deleting) or not going to be used for a long period of time.
[Edit - Types slower than webmaster]Foolproof systems don't take into account the ingenuity of fools -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□Sie wrote:Nope. An admin can disable an account, but not lock. As mentioned, lockouts occur when the preconfigured number of failed login attempts is met.
Technically an Admin can lock an account but there is no reason/situation why they would do this.
As mentioned above lock out is normally from a trigger.
Disable is used when an account is not needed (rather than deleting) or not going to be used for a long period of time.
On the other hand, technically, anyone can lock anyone's account. I'll just try to log in as user:Sie several times with incorrect passwords. That will lock you out. But that doesn't take an admin, just a low tech DOS attack.All things are possible, only believe. -
SWM Member Posts: 287I was asked to immediatley prevent a user from accessing a W2003 domain network by my boss as the user had been sacked. My boss wanted to prevent the user deleting files etc etc.
I disabled the account in "AD users and computers" and then in Computer managment, Sessions right mouse clicked and selected "close session". I assumed that this would prevent access. But be warned the user was still able to open files on the server, access Outlook and emails in exchange, send receive email etc. Once she logged off the account was disabled but i was amazed that even though the Domain controller had no record of a active session it still allowed access to the server.
I remember back with Novell 3.12/4.11 that if the Admin hit "del" on a users session, they where dead in the water.
Food for thought and beware
StephenIsn't Bill such a Great Guy!!!! -
Sie Member Posts: 1,195sprkymrk wrote:No, technically he can't. There is no option for that, he can disable - not lock.
On the other hand, technically, anyone can lock anyone's account. I'll just try to log in as user:Sie several times with incorrect passwords. That will lock you out. But that doesn't take an admin, just a low tech DOS attack.
Depends what your using to administer the accounts, Granted you cannot "tick" the unlock account check box to "lock" someones account within AD Users & Comps but some of the admins where i work use Bindview to administrate and you can lock from there.
I wrote my answer before checking what context / application we were talking about doing this from, plus it wouldnt be asked about in a M$ exam as it is third party software.
So to clarify after my confusion, admins cannot lock an account without using the addition of a third party application.Foolproof systems don't take into account the ingenuity of fools -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□Yes, you've got. From an MS (and test) point of view you cannot "lock" an account. There is third party software that may use the term "lock", but I don't know without seeing it if it's actually "locking" their account or disabling it from an ADUC point of view.All things are possible, only believe.
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□SWM wrote:I was asked to immediatley prevent a user from accessing a W2003 domain network by my boss as the user had been sacked. My boss wanted to prevent the user deleting files etc etc.
I disabled the account in "AD users and computers" and then in Computer managment, Sessions right mouse clicked and selected "close session". I assumed that this would prevent access. But be warned the user was still able to open files on the server, access Outlook and emails in exchange, send receive email etc. Once she logged off the account was disabled but i was amazed that even though the Domain controller had no record of a active session it still allowed access to the server.
Stephen
The main things I do after disabling their account are as follows:
1. Force a log off - not just close their sessions, but actually force a logoff from their computer remotely. You can do this with the "shutdown.exe" command or within Computer Management. That gets them off the network "right now".
2. Remove the user account from all group memberships.
3. Remove the user account from explicit permissions on their home share.
4. Using Exchange 5.5 (this is probably not necessary in E2K or higher) remove the user account from the mailbox permissions.
5. This step needs to be done in advance, but you can set the "Number of previous logons to cache" to 0, instead of the default 10. This way they cannot unplug the LAN cable from their workstation and log in with a cached profile to access stuff on the local computer.
Hope that helps. Take care!All things are possible, only believe. -
RTmarc Member Posts: 1,082 ■■■□□□□□□□Back in the old NT 4 days an Admin could lock someone out; and sometimes it serves as good punishment for someone being an ass to the IT dept.
-
Sie Member Posts: 1,195Try an OU of Doom within 2003.
OU with Extreme Group policies in effect.
They be an ass chuck their comp and user id in the OU of DOom for a few weeks see how they quiet down after!Foolproof systems don't take into account the ingenuity of fools -
SWM Member Posts: 287Thanks for the reply's. I think the OU of DOOM is the winner.Isn't Bill such a Great Guy!!!!