Password Aging & Account Lockout in ACS 4.2

Similar Messages

• ACS V 4.1.1 build 23 Password Aging over SSH does not work.

  Hi, my name is Elias and I have problems with ACS Password Aging over SSH does not work and there is no password aging meseges sent by ACS to de console when I use SSH. I know that there is problems with this but I can't find any workaround or documentation that says that there is no workaroun. Can you help me with this??
  King Regards.

  Hey Elias,
  SSHv1 does not support password changes as you can do in telnet. You will need to be
  running a version of IOS that supports SSHv2.
  The following site explains what versions support this:
  http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_feat
  ure_guide09186a00802045dc.html
  Rgds,
  somishra

• Password aging on individual accounts

  Hi,
  I have password aging enabled on this server. The MAXWEEKS is set to 13. After an audit, the MAXWEEKS has to be set to 12. If I do that, will all users currently at 91 days go to 84, or do I have to alter each one individually as well? Like if I change the /etc/default/passwd, will that only take effect for new users (which I suspect is the case)? How can I set each current userid from 91 days to 84? Also there are some IDs with no password again enabled. How can I enable it for a single userid?
  Thank you,
  S.

  Changes to /etc/default/passwd file do not update existing fields in the /etc/shadow file.
  The passwd command has some options that allow you to set these values. The following will change a user's max to 91:
  # passwd -x 91 <login>
  Now all you need is a script to loop through each user account and make the change. For ksh it would lool like this:
  for username in `awk -F: 'print{ $1}' /etc/shadow`
  do
     passwd -x 91 $username
  doneYou probably ought to test this first, though, and make sure you'll get the results you need.

• Password aging with ACS + UCP in a wireless network.

  Hello
  We want to use ACS in our wireless network, but we would like to allow users to change their own passwords, so we want to use UCP.
  Additionally, we want to force them to change their passwords after a period of time or number of logins.
  Is it possible to use password aging based on time or number of connections when users connect through UCP web interface?
  Also, does using UCP requiere some kind of additional license/payment?
  Thanks.

  Juilo,
  No the UCP sample scripts have to run on a seperate ACS server and you have to enable the ucp intefaces through the cli to accept the UCP requests from the other server.
  Here is a link that will help you.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/admin_config.html#wp1105672
  Tarik Admani
  *Please rate helpful posts*

• Hyperion encryption and password / account lockout mechanisms

  Hi All,
  Please help as i want to know How does the Excel Add-In do the following
  1. Is the connection to Hyperion encrypted and what are the details?
  2. What are the password / account lockout mechanisms?
  Regards,
  Mink

  If you need an encrypted connection to Essbase then you should use Smartview over https.
  1) The Excel-Addin connection is not encrypted -- you can definitely see member information with a packet trace and with some time could probably figure out how to decipher the numeric data. The password to connect with did seem to have some level of encryption -- Hyperion would need to answer anything further as this is not documented.
  2) The lockout mechanism depends on the user directory provider you chose. To my knowledge the native directory has not capabilities for user lockout. If you chose to use say Active Directory or another system then the those items are configured in that user directory and you would need to speak with the specific directory administration team regarding the lockout mechanisms.
  Regards,
  -John

• Password Policy and user account lockout in OAM

  Hi folks,
  I'm new to OAM and have rather silly question: I created Password Policy where I've defined the Number of login tries allowed, Custom Account Lockout Redirect URL, etc. Now, how do I tie it to the authentication / authorization rules inside my Policy Domain which I'm using to protect a certain resource?
  Thank you
  Roman

  Hi Colin,
  I do have the validate_password plugins defined in the Authent scheme, here they are:
  credential_mapping      obMappingBase="xxxxxx"
  validate_password      obCredentialPassword="password"
  validate_password      obReadPasswdMode="LDAP"
  validate_password      obWritePasswdMode="LDAP"
  Yet, after the third unsuccessful login, nothing happens. I still don't get it how the password policy I've created kicks into the action? Should it be evaluated each time a user attempts an access? Is it getting engaged due to the validate password plugin names?
  I've also noticed that the only default step I have in the Authent scheme doesn't list the last two validate password plugins in it. Does it have to?
  Thanks Roman
  Edited by: roman_zilist on Dec 17, 2009 9:12 AM

• Need to find out which application is making an frequent account lockout in AD

  Hi ,
  In my environment two of the user accounts are having an frequent account lockout.
  We have found that the account lockout was happening in their own machines with the help of the event logs in the domain controllers.
  Please tell us how do we find that which application on their machines are making an frequent account lock with the help of event logs else do we have some other options.
  All of your suggestions are much appreciated.
  Thanks & Regards S.Nithyanandham

  Usage of Microsoft ALtools( https://www.microsoft.com/en-us/download/details.aspx?id=18465 ):
  LockoutStatus application
   Run LockoutStatus.exe and choose File > Set target > Define “Target User Name”
  and “Target Domain Name”
  Tool will show you user with its “User State” (Locked/Not Locked), time when
  account was locked (Lockout Time) and will allow you to Unlock Account if you
  right click output string.
  EventCombMT application
   This tool gathers specific events from Windows event logs of single or several
  different servers to one central location.
   Run EventCombMT.exe > Right Click on “Select to search” field >Choose “Get DCs
  in Domain” > Mark your Domain Controllers for search> Select “Security” log file >
  Type “4740” in the “Event IDs” field > Choose “Success Audit” Event type > Click
  “Search” > Wait for “Matching Events Found” counter to show some values and
  click “Quit”
   In the opened window investigate file or files named by your domain controllers
  names. You should be able to determine the originating system where lockout
  happened by searching for “Caller Computer Name”
  Aloinfo application
   This tool has 2 purposes:
   To display all user account names and the age of their passwords run cmd >
  change directory to the one where ALtools were extracted > type @powershell >
  Enter > type “./aloinfo.exe /expires /server:DC | out-file C:\temp\expires.txt” >
  Enter
   To display credentials used for running services or for mapping network drives
  run cmd > change directory to the one where ALtools were extracted > type
  @powershell > Enter > type “./aloinfo.exe /stored | out-file C:\temp\stored.txt” >
  Enter
  You may also enable Netlogon logging on DC through command shell:
  nltest /dbflag:2080ffff
  Netlogon.txt file is created in %systemroot%/debug directory
  Just don't forget to turn it off after investigation :) nltest /dbflag:0
  Or you can use
  Netwrix Account Lockout Examiner to troubleshoot account lockouts, it's free.
  --- Jeff (Netwrix)

• Is it best practice to use account lockout policy

  Windows Server 2008 r2 (will be moving to 2012 r2)
  since implementing account lockout policy two days ago, we've been bombarded by calls to unlock accounts. and after a few minutes, same users get their accounts locked again.
  my question, since we are already using strong password policy (8 chars min, 90 days max to expire), at this day and age is it still best practice to rely on account lockout policy? keeping in mind the above flood of calls.

  since implementing account lockout policy two days ago, we've been bombarded by calls to unlock accounts. and after a few minutes, same users get their accounts locked again.
  my question, since we are already using strong password policy (8 chars min, 90 days max to expire), at this day and age is it still best practice to rely on account lockout policy? keeping in mind the above flood of calls.
  account lockout is generally considered un-necessary if you have implemented a very strong password complexity/history policy.
  There are many discussions on the topic of password/passphrase "strength", and it's important to consider the various factors involved, and, how they affect your organisation's view of "security".
  I would say that 8 chars is not very strong. You should also consider if password aging/expiry is a useful control at all.
  Since this forum is related to Group Policy, and, password/security is really quite a separate topic, you should consider the DS forum or the security forum, or separate research or consulting services, to get a broad understanding of the things to consider
  for your particular requirements/scenario.
  Other considerations include any security standards which can be useful reading to understand the nature of the topic (e.g. PCI DSS, HIPAA, FIPS, etc)
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Is account lockout policy still best practice

  Windows Server 2008 r2 (will be moving to 2012 r2)
  since implementing account lockout policy two days ago, we've been bombarded by calls to unlock accounts. and after a few minutes, same users get their accounts locked again.
  my question, since we are already using strong password policy (8 chars min, 90 days max to expire), at this day and age is it still best practice to rely on account lockout policy? keeping in mind the above flood of calls.

  Just to add, I think it would have been a better idea to broadcast the planned changes organization wide before implemeting something like this.
  Place to check that we usually check and possibly good to let people know:
  Desktops
  Extra Laptops that may not be on site
  Mobile phone Exchange accounts or Office 365 hybrid ADFS accounts
  WIFI profiles on laptops, iPads, other tablets, mobile phones, etc
  Locked workstations that have not been logged off
  Services using a user account or with old credentials - usually I see devs doing this
  Mapped Drives with explicit permissions
  Current running RDP/RDS sessions
  Scheduled Tasks with old credentials
  VPN connections
  etc
  Troubleshooting account lockout the Microsoft PSS way
  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-
  Account Lockout and Management Tools
  http://www.microsoft.com/en-us/download/details.aspx?id=18465way.aspx
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Account Lockout issue between Apple devices and Exchange 2003

  I have been having an ongoing issue for a couple of months with a few different users Apple devices locking out their accounts in AD when they try to authenticate to ActiveSync.  This doesn't happen every time they authenticate, it seems to be random,
  while the rest of the time they have access to their email.  It might occasionally happen with an Android, but not on a repetitive basis like this.
  Primarily this has been four different iPads, running different versions of iOS, and an iPhone running the latest release of iOS 7.  Other iPhones and iPads function without having the problem, including iPhones on iOS 7.  
  The user accounts in question are set to never have their passwords expire, but again, they aren't the only users that are set like this, and those other users, even with Apple devices are not having the same problem.
  I used NetWrix to trace out the source machine, which is my Exchange 2003 server and times, and I've checked the W3SVC1 log file, and come up with the following as an example with identification details masked:
  <internal IP>, <Domain\Username>, 4/30/2014, 8:10:04, W3SVC1, <ServerName>, <internal IP>, 15, 329, 3367926, 200, 0, GET, /exchange-oma/<[email protected]>/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplV50462*****/eb53cd5d5b9fcf40****************-20ef44,
  As I was typing this, the owner of the iPad from the log file above came by my desk, so I asked a couple more questions.  He's never had another iPad, it's a gen 1, and he's never updated the iOS on it.  I know one of the other iPads in question
  has the most up to date iOS, and the other one is brand new, replacing one that was broken, but the owner of that one had the same issue on a 3 year old iOS.  
  There is nothing special about the user accounts, no special privileges or restrictions.
  Has anyone encountered this before?  Exchange 2003, Server 2003 in a 2008 domain.  Promotion to the 2008 domain was 2 years ago.

  Hi Brian,
  I am so sorry for the delay.
  Do you have any progress by now?
  Since there are lots of devices which use user accounts to log on, failed logon attempts on these devices could be the cause for account lockout.
  If this issue persists, I suggest you refer to these troubleshooting articles below:
  Troubleshooting account lockout the PSS way
  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
  Troubleshooting Account Lockout
  http://technet.microsoft.com/en-us/library/cc773155(v=WS.10).aspx
  In addition, you can also get efficient support at Active Sync forum below:
  http://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchangesvrmobilitylegacy
  Best Regards,
  Amy

• Oracle Access Manager 11gR2 Account Lockout URL

  I have question on OAM and OIM Integration LOCKOUT URL.
  Oracle 11gR2 documentation used is   Introduction - 11g Release 2 (11.1.2.1.0)
  Section 1.5.3.5 Account Lock and Unlock refers to account lockout url
  4. The user's unsuccessful login attempts exceed the limit specified by the policy. Access Manager locks the user account and redirects the user to the Access Manager Account Lockout URL, which displays help desk contact information.
  Where can we setup  Access Manager Account Lockout URL in 11gR2?

  Try specifying Account Lockout URL in oam-config.xml "AccountLockedURL" attribute. I am not sure what exact values should be set for other attributes mentioned in oam-config.xml (password policy related section) as some of them are related to OIM-OAM integration. Do you plan to integrate OIM-OAM in your environment

• Random Account Lockout (How to trace source?)

  In Windows 2003 server native domain environment: XP Pro machines have no issues, but all ~10 PCs that have Win7 Pro (in different offices) have their domain accounts locked out randomly throughout the day. Workstations have no passwords listed in credentials
  management.
  Suspect it is something on the workstations that is sending incorrect logon and triggering the invalid password lockout limit on domain policy. Found MSFT tools to trace in XP, but nothing for Win7. Does anyone know how to use Procmon or similiar tool to
  trace such source on the workstations? Thank you.
  (Procmon.exe from systernals)

  Hi,
  The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
  We can run the LockoutStatus.exe on domain controller to identify and investigate the account lockout issue.
  Troubleshooting tools:
  By using this tool, we can gather and displays information about the specified user account including the domain admin's account
  from all the domain controllers in the domain. In addition, the tool displays the user's badPwdCount value on each domain controller. The domain controllers that have a badPwdCount value that reflects the bad password threshold setting for the domain are the
  domain controllers that are involved in the lockout. These domain controllers always include the PDC emulator operations master.
  You may download the tool from the link
  Download Account Lockout Status (LockoutStatus.exe)
  http://www.microsoft.com/downloads/details.aspx?familyid=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en
  Once we confirm the problematic computer, we can perform further research to locate the root cause. Actually, there are many possible
  causes for bad password, such as cached password, schedule task, mapped drives, services, etc. Please remove the previous password cache which may be used by some applications and therefore cause the account lockout problem.
  Troubleshooting steps:
  1. Click Start, click Run, type "control userpasswords2" (without the quotation marks), and then click OK.
  2. Click the Advanced tab.
  3. Click the "Manage Password" button.
  4. Check to see if these domain account's passwords are cached. If so, remove them.
  5. Check if the problem has been resolved now.
  If there is any application or service is running as the problematic user account, please disable it and then check whether the problem
  occurs.
  For your convenience, I'd like to list the common troubleshooting steps and resolutions for account lockouts as the following:
  Common Causes for Account Lockouts
  To avoid false lockouts, please check each computer on which a lockout occurred for the following behaviors:
  Programs:
  Many programs cache credentials or keep active threads that retain the credentials after a user changes their password.
  Service accounts:
  Service account passwords are cached by the service control manager on member computers that use the account as well as domain controllers.
  If you reset the password for a service account and you do not reset the password in the service control manager, account lockouts for the service account occur. This is because the computers that use this account typically retry logon authentication by using
  the previous password. To determine whether this is occurring, look for a pattern in the Netlogon log files and in the event log files on member computers. You can then configure the service control manager to use the new password and avoid future account
  lockouts.
  Bad Password Threshold is set too low:
  This is one of the most common misconfiguration issues. Many companies set the Bad Password Threshold registry value to a value lower
  than the default value of 10. If you set this value too low, false lockouts occur when programs automatically retry passwords that are not valid. Microsoft recommends that you leave this value at its default value of 10. For more information, see "Choosing
  Account Lockout Settings for Your Deployment" in this document.
  User logging on to multiple computers:
  A user may log onto multiple computers at one time. Programs that are running on those computers may access network resources with
  the user credentials of that user who is currently logged on. If the user changes their password on one of the computers, programs that are running on the other computers may continue to use the original password. Because those programs authenticate when they
  request access to network resources, the old password continues to be used and the users account becomes locked out. To ensure that this behavior does not occur, users should log off of all computers, change the password from a single location, and then log
  off and back on.
  Stored user names and passwords retain redundant credentials:
  If any of the saved credentials are the same as the logon credential, you should delete those credentials. The credentials are redundant
  because Windows tries the logon credentials when explicit credentials are not found. To delete logon credentials, use the Stored User Names and Passwords tool. For more information about Stored User Names and Passwords, see online help in Windows XP and the
  Windows Server 2003 family.
  Scheduled tasks:
  Scheduled processes may be configured to using credentials that have expired.
  Persistent drive mappings:
  Persistent drives may have been established with credentials that subsequently expired. If the user types explicit credentials when
  they try to connect to a share, the credential is not persistent unless it is explicitly saved by Stored User Names and Passwords. Every time that the user logs off the network, logs on to the network, or restarts the computer, the authentication attempt fails
  when Windows attempts to restore the connection because there are no stored credentials. To avoid this behavior, configure net use so that is does not make persistent connections. To do this, at a command prompt, please type net use /persistent:no. Alternately,
  to ensure current credentials are used for persistent drives, disconnect and reconnect the persistent drive.
  Active Directory replication:
  User properties must replicate between domain controllers to ensure that account lockout information is processed properly. You should
  verify that proper Active Directory replication is occurring.
  Disconnected Terminal Server sessions:
  Disconnected Terminal Server sessions may be running a process that accesses network resources with outdated authentication information.
  A disconnected session can have the same effect as a user with multiple interactive logons and cause account lockout by using the outdated credentials. The only difference between a disconnected session and a user who is logged onto multiple computers is that
  the source of the lockout comes from a single computer that is running Terminal Services.
  Service accounts:
  By default, most computer services are configured to start in the security context of the Local System account. However, you can
  manually configure a service to use a specific user account and password. If you configure a service to start with a specific user account and that accounts password is changed, the service logon property must be updated with the new password or that service
  may lock out the account.
  Internet Information Services:
  By default, IIS uses a token-caching mechanism that locally caches user account authentication information. If lockouts are limited to users who try to gain access
  to Exchange mailboxes through Outlook Web Access and IIS, you can resolve the lockout by resetting the IIS token cache. For more information, see "Mailbox Access via OWA Depends on IIS Token Cache" in the
  Microsoft Knowledge Base.
  MSN Messenger and Microsoft Outlook:
  If a user changes their domain password through Microsoft Outlook and the computer is running MSN Messenger, the client may become locked out. To resolve this behavior,
  see "MSN Messenger May Cause Domain Account Lockout After a Password Change" in the
  Microsoft Knowledge Base.
  For more information, please refer to the following link:
  Troubleshooting Account Lockout
  http://technet.microsoft.com/en-us/library/cc773155.aspx
  Account Passwords and Policies in Windows Server 2003
  http://technet.microsoft.com/en-us/library/cc783860.aspx
  Hope this helps!
  Novak

• Smart card and Account Lockout Policies Issue

  I have enabled "Interactive logon: Require smart" card and "Account Lockout threshold: 3 invalid logon attempts". The lockout policy works fine with normal passwords. However, when I try to use the smart card and entering wrong PIN 4
  times, the lockout policy does not work. 
  Can anyone please help with this issue?

  Hi,
  the validity of the PIN is managed by the smartcard itself, not by windows. Windows just logs in of the smartcard gives the right certificates/keys. the smartcard will only do so when it is provided a valid PIN.
  Also note an account should not be locked out to avoid brute forcing the PIN. instead, the smartcard should lock.
  http://technet.microsoft.com/en-us/library/cc962052.aspx
  http://technet.microsoft.com/en-us/library/ff404290(v=ws.10).aspx
  MCP/MCSA/MCTS/MCITP

• How to set Account Lockout Duration at 5 minutes.

  please suggest how to set Account Lockout Duration at 5 minutes.?

  Your question is not very clear but I assume you are referring to setting of the Account Lockout Duration for a user in weblogic realm.
  Please refer to the below link for the same:-
  http://docs.oracle.com/cd/E13222_01/wls/docs81/secmanage/passwords.html
  -Sandeep

• Configure account lockout policies

  Hi guys,
  I have a few question regarding Windows Powershell. I need to automate a Windows Server 2012 with powershell.
  And there are a few steps where i can't find anything that works.
  1. I need to configure the account lockout policy, so after 3 wrong password, a user account will be disabled for like 1 hour, how do i do this with powershell? I've looked everywhere but there are only things for a whole domain, and not a single user.
  2. When i share a map, only a few people, the users of that department can actually acces and read it. But the others need to be blocked from it.
  Any links with answers, or links with a lot of information about powershell are welcome!
  Thanks alot!
  RandomGuest

  First of all, sorry for my english.
  Second: So I need to make a script with powershell, that wil automate windows server 2012.
  For the first question: So every user in mij domain should be prohibited (from the account) for 1 hour if they type the password wrong more then 3 times. So i need to set the security permissions for the users.
  For the second question: When i share this map, only the people in my OU may acces it. Al the others are prohibited.
  Thanks alot!
  Your English is not that bad...
  1. first question:
  So it now seems that you want to modify group policy to apply this one hour lockout to all users. Why do you want to do this with Powershell? No matter how many servers or computers you have, you have only one domain, so the policy change needs to be done
  only once. Perhaps there is a way to do it with Powershell, but I don't see why you want to.
  Also this has nothing to do with setting the security permissions for the users - unless perhaps you think that is how a script could keep the affected users from being able to log in. Since Windows has facilities to do this, you will probably only create
  problems by trying to simulate it with a script.
  2. second question:
  you say that "When i share this map, only the people in my OU may acces it. Al the others are prohibited", are you saying that this is what currently happens, but you want something different, or are you saying that that is what you want to have
  happen.
  So, please describe how you are applying permissions, and how the result differs from what you want.
  Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.