Password Policy and user account lockout in OAM

Similar Messages

• How to force password policy requirements on password resets for user accounts reset by the Administrator?

  OS: Windows Server 2008 R2 Enterprise
  Domain Level: 2008
  Forest Level: 2000
  We have Domain Administrators in our domain that reset passwords for user accounts, and the passwords the Administrators set them to are not being enforced follow our default domain password policy. For example, I log on the domain controller, as an administrator
  and can reset a password for a user account to be blank. 
  Is there a reason Domain Administrator password resets for user accounts are not enforced by our default domain password policy? Is there a way to enforce this on password resets by Domain Admins? 

  Do you have fine grant password policy? If not ; by default all the usrs are effected by domain level password policy even domain admins,
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• Password Problems with User Account

  I have attempted several times to use my admin account to set up a user account on my G4 desktop. I can always manage to set up the user and password, but whenever I log in as the new user, the password doesn't work. I've tried this several times using different user names and different passwords, but no luck. Can someone tell me what I'm doing wrong?
  G4 Tower   Mac OS X (10.4.6)  

  I was having a similar problem to yours. Running 10.4.6 on an old PowerBook G4 Titanium 400Mhz, and when I tried to create a new regular user account last week, the login window wouldn't accept my new password for the user account, even though I'd just created it. It just shook/shuddered to indicate typing the wrong password, even though I knew I was typing it right!
  I tried lots of troubleshooting steps to no avail. Downloaded and installed the newest 10.4.8 full updater. Ran disk utility to repair permissions, and checked the disk for problems. Still no go on logging into the new regular user account. Deleted and recreated the account a few times with no luck.
  Then I went into the security control panel and set a new "Master Password" for my computer. When I created a new account, and then tried to log in, it rejected the password, but after typing the "right" password four times, the computer gave me an opportunity to type the Master Password, and then "reset" the new user's password, after which it logged in just fine!
  I definitely recommend trying this procedure before going through a whole reinstall process for the operating system!
  -Nate

• Can't Change Lock Screen Background Image and User Account Picture in Windows 8.1.

  I am running Windows8.1 Single Language with windows activated. Upgraded from Window 8 to Windows 8.1.
  Lenovo Y410p.
  4th generation Intel® Core™ i7-4700MQ (2.40GHz 1600MHz 6MB) with 16GB RAM.
  NVIDIA® GeForce® GT750M 2GB .
  I tried all methods that I found on web included :
  1. http://www.askvg.com/fix-cant-change-lock-screen-background-and-user-account-picture-in-windows-8/
  2. http://answers.microsoft.com/en-us/windows/forum/windows8_1-desktop/lockscreen-issues-on-windows-81/c51f570a-7a69-4e92-8348-3ebbed778592
  3. I deleted the C:\ProgramData\Microsoft\Windows\SystemData file and folder
  4. I restored the Libraries Features.
  5. I run SFC / Scannow 3 times but get no error.
  6.  I created a new local account but the same problem shows up. (I'm using live for main account.)
  Now, Please tell me what should I do, Thanks.

  Hi,
  First of all, please run the command slmgr.vbs /dlv
  After that, check the License status if it is licensed.
  Is there any error message when you couldn't change lock background or this option just grey out?
  Roger Lu
  TechNet Community Support

• Remove password from main user account on os x 10.8

  How do i remove password from main user account on os x 10.8
  Thank you
  John

  http://support.apple.com/kb/HT1274

• Checking Computer AND User Account against AD without TLS

  Hi Folks,
  i am working on a customer site with 5500/ACS5.2/AD/WZC. The Customer looks for a good Authentication Scenario but decides against TLS. So we tested PEAP with checking the AD for a valid Computer Account and User Auth. But, if i use a Laptop with no Domain Computer Account but a valid User Account, i  can gain Access. Is it possible that the ACS can check for a valid Computer AND User Account and successes the Client only if both Accounts are available and valid?
  Regards, Michael

  Hi Nicolas, thx for this Hint. I did  today the Host Lookup and "was machin auth" thing, but anyway, my own Laptop
  that is not in the Domain can connect with a Domain User ID to the Network. Any Hint or Trick? I saw on other Discussions you referred to that some Users did an AD Rejoin, what do you think?
  Regards, Michael

• Check for Updates and User Account Control

  With Adobe Reader the 'Check for Updates' function under Help does not appear to function when 'User Account Control (UAC)' in Windows Vista is turned on.
  When UAC is turned off, the 'Check for Updates' works, and if there an update is available for Adobe Reader, it will download and install.
  Other programs that update software funtion with UAC turned on, albeit with the additional dialog boxes that UAC brings, namely the CTL/ALT/DEL and user account logon (when applicable.)
  Without updating the Adobe Reader software, users are leaving themeselves open to vulnerabilities.  Without UAC turned on, users are also leaving themselves open to certain risks.  So there appears to be a dilemma presented.
  Does anyone know if/when Adobe will be changing the 'Check for Updates' functionality so it will behave more in-line with the UAC functionality?
  Thank you in advance for your time and attention.

  With UAC enabled, I start Adobe Reader, click on Help, and there is no selection for updating.  There is nothing for me to click.  Additionally, in Edit, Preferences, Updater, "Do not download or install updates automatically" is selected, and everything on the right pane is greyed-out.
  With UAC disabled, I start Adobe Reader, click on Help, and there is a selection for 'Check for Updates.'  In Edit, Preferences, Updater, I can select the various methods of downloading/updating Adobe Reader.  The option to download the update but not install was selected, as I wanted it to be.
  Finally, I noticed that the notice from Adobe, 'Update is ready to install,' appears in the Windows tray.  And it is this point that somewhat changes the serverity of the problem, that is, while 'Check for Updates' is not available when UAC is enabled, it appears that Adobe can still be updated through the automatic download feature.  The only problem with this is that I cannot tell if the update was downloaded while UAC was enabled (probably not since the download setting says not to) or while UAC was disabled.
  In any case, it still does not appear that our clients can get their Adobe Reader software updated while UAC is enabled.  And this represents a security dilemma for us.

• Disk password and user accounts

  I have a Macbook Pro (with Mavericks), and my disk is encrypted.
  When I power on my computer, I get these options:
  1. Log in with my profile/user account OR
  2. Enter the Disk Password
            followed by: log in with my profile/user account
  What I am confused about is this: How can I log into my account both with and without entering the Disk Password, and there doesn't seem to be any difference between the two? Sorry if this is a dumb question, but if my whole drive is encrypted (I only have one partition), shouldn't I be required to enter the Disk Password before I can log in with a user account?
  I created another account (non-admin) and made sure it doesn't have automatic access to the disk (in the FireVault settings). This account can also log in just fine before I enter the Disk Password, or after I enter it.
  Another weird thing that might be connected to this is that when I run the Disk Utility when my computer boots up (Cmd+R), it says my partition is encrypted + journaled, but when I run Disk Utility from within Mavericks, it says it's only journaled, NOT encrypted as well. The partition is named after my dog (I know...), so there's no confusion of the "disk1" "disk2" sort...
  Thanks in advance!!!

  Hey Melophage,
  thanks for your reply!
  I encrypted the disk under Mountain Lion, then decrypted, erased, and encrypted again under Mavericks.
  The reason for this is that I had some issues with super slow startup as well as the log in screen after sleep (the cursor in the password field would be blinking for 25-30 secs without responding to the keyboard, then the screen would go black, then come on again, and I would be able to log in…). I couldn’t identify any apps or processes that were responsible for these issues.
  When I upgraded to Mavericks, the issue went away for a week or so, then came back. So, I decrypted, erased the drive, encrypted, and now have the “double” login options.

• Best way to force password policy on users within 1-2 weeks?

  We have a Server 2008 R2 domain.
  I'd read that the password policy in GPO is only available for Computer Configuration, not User Configuration? Is that correct? 
  If so, that's not very flexible and will make things trickier for us.  
  And regarding enforcing a password policy with a GPO on our local domain, do you know of a way to force users to change their passwords within say 1 week?    (the only options I know of are on the AD User account properties check a box "User
  must change password at next logon" (then you'd have to force them to log out) OR relying on AD's internal formula:
  webactivedirectory.com/.../how-active-directory-calculates-account-password-expiration-dates .  The problem I see with the latter is if your user hasn't changed their pw for a year you'd have to wait a year+how many days you set for max password
  age?
  spnewbie

  To add, the password policy is applied at the domain level and only works at the domain level. It's not the fact that it's at the "Computer Level" or "User Level" or not, it's the fact that it's only set at the domain level.
  Account policies (Password, Lockout and Kerb), are all under the Computer Config because it forces it to apply to all user accounts that access all machines.
  If you tried to create a password policy at any other level (any OU), it won't work. The only option is to use PSOs, as Mahdi pointed out.
  As for that Spiceworks thread, I would suggest to post a question about a specific product to the product vendor's support forum for accurate responses.
  Here's an excerpt from MOC 6425C Configuring and Troubleshooting Windows Server 2008 Active Directory, page 10-8 (and this applies to all versions of AD):
  Active Directory supports one set of password and lockout policies for a domain. These policies are configured in a GPO that is scoped to the domain. A new domain contains a GPO called the Default Domain Policy that is linked to the domain and that includes
  the default policy settings for password, account lockout, and Kerberos policies. You can change the settings by editing the Default Domain Policy GPO.
  The best practice is to edit the Default Domain Policy GPO to specify the password policy settings for your organization. You should also use the Default Domain Policy GPO to specify account lockout policies and Kerberos policies. Do not use the Default
  Domain Policy GPO to deploy any other custom policy settings. In other words, the Default Domain Policy GPO only defines the password, account lockout, and Kerberos policies for the domain. Additionally, do not define password, account lockout, or Kerberos
  policies for the domain in any other GPO.
  The password settings configured in the Default Domain Policy affect all user accounts in the domain. The settings can be overridden, however, by the password-related properties of the individual user accounts. On the Account tab of a user's Properties dialog
  box, you can specify settings such as Password Never Expires or Store Passwords Using Reversible Encryption. For example, if five users have an application that requires direct access to their passwords, you can configure the accounts for those users to store
  their passwords by using reversible encryption.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• How do I repair my library and user account?

  My problem:
  - Created new user named "admin" and wanted to transfer my entire account there and gave it full rights. Decided not to. <- long story
  - Now, original account does not have full rights and every setting I change (like desktop wallpaper) changes back to the day I gave full rights to my other account.
  - Asks password to move and delete files.
  - Apps connected to Apple account (iPhoto, Notes, Mail, Calendar, Preview, Reminders, FaceTime, etc. - except iTunes and Messages) asks for password as well and when I put it in, it crashes and says the app quit unexpectedly
  - Also, Apple apps like Messages cannot log in to my Apple account, and I cannot receive any messages anymore.
  Attempts to fix:
  - I tried giving myself acces to a lot of folders (my hard drisk, home, desktop, system, library, user accounts, applications)
  - Disk Utility - Verify Disk Permissions and Repair Disk Permissions
  HELP!

  HI,
  I am presuming there was only one account on the mac in the first place.
  In System Preferences > User and Groups this would have been an Admin account.
  You now seem to be saying that this Mac User Account is no longer an Admin  account  ("Does not have full rights") but have not explained how you got to that state.
  You can have several Mac User Accounts that have Admin Permissions.
  Other posters who may be able to help may need the exact steps that you took in this process.
  9:14 PM      Friday; April 5, 2013
    iMac 2.5Ghz 5i 2011 (Mountain Lion 10.8.3)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
   Couple of iPhones and an iPad
  "Limit the Logs to the Bits above Binary Images."  No, Seriously

• Need to collect the Windows logon and logoff events across the Domain in a DC eviornment, for different machines and user accounts.

  Hello All,
  I am trying to build a Tool to collect the info about all the user's who login and logoff on daily basis in a domain network. I am using a windows 2008 server as a DC and have xp, win 7, win 8 , win 12 server as clients in the network.
  There are few questions in my mind which I am not able to answer.
  1> When a user tries to login to the DC network, he/ she gets authenticated using the kerberos protocol. does these authentication gets logged on the AD server by default? I have see a way to enable it from registry but even that's not giving me the expected
  output in the eventvwr.
  2> Do I have to use Audit policies to monitor all the user's log off and log on activities?
  3> Is there a way to collect these information from any place on the AD server other than the Eventvwr?
  Please help me in finding the solutions to these query's  of mine.
  Thanks.

  1. Open the Group Policy Management console on any domain controller in the target domain: navigate to Start → Administrative Tools → Group Policy Management.
  2. In the left pane, navigate to Forest: <domain_name>→ Domains → <domain_name>→ Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up
  menu. </domain_name></domain_name>
  <domain_name><domain_name>3. In the Group Policy Management Editor dialog, expand the Computer Configuration node on the left and navigate to Policies → Windows Settings → Security Settings → Local Policies → Audit Policy. </domain_name></domain_name>
  <domain_name><domain_name>4. Set the Audit account management and the Audit directory service access policy to "Success". Set the Audit logon events policy to  "Success" and "Failure". </domain_name></domain_name>
  5. Navigate to Start → Run and type '"cmd". Input the gpupdate /force command and press Enter. The group policy will be updated.
  Number of events could be excessive so you need to adjust size of Security log ( 1gb for example ) 
  Usage of EventCombMT Tool (part of
  MS ALtools )
   This tool gathers specific events from several different servers to one central location.
   Run the EventCombMT.exe > Right Click on Select to search field > Choose Get DCs in Domain > Mark your Domain Controllers for search
   Click the Searches menu > replace Event ID field values with
  4624  LOGON / 4634  LOGOFF
   Click Search and wait for the process to complete the operation.
   After the search is done the output directory contains the log files for the domain controllers where events with the specified Event ID’s were found.
  Alternatively you can try Netwrix Auditor for Active Directory solution with 20 days of free trial to generate such reports.
  --- Jeff (Netwrix)

• Getting user account lockout continuosly

  I am getting lockout continuosly for one account. I tried reconfiguring user profile and system restart. But still user account lock out coming..
  I enabled audit logs and found failed logs. In that i am getting caller process id as 0x1a8. 
  I installed procmon, in that PID coming in numbers..
  How to convert caller process id into PID  or any other way to find which application that process is related to..

  You could download the Account Lockout Status tool to get more information where the source is.
  http://www.microsoft.com/en-us/download/details.aspx?id=15201

• Login password not accepted/user accounts not listed

  I woke my laptop from sleep today and it didnt accept my password. I tried several times and it just wouldnt work anymore.
  I restarted the computer and my account wasnt even in the list as an option to login to. So I logged into root and I was able to see all my folders and files intact under my user folder.
  I thought I should just reinstall the system software, so after doing that, NO USERS were available to login to. I had to reset my root password by starting up via the Tiger installation disc.
  Now I am able to see all my folders again, but I just cant login! I opened the Accounts preference pane and the only account listed is root. I am afraid to add my old account, as it may re-write over the existing one.
  Can soneone PLEASE explain what the **** happened? And how can I fix such a mess? This is seriously screwed up here.

  I'm seeing a lot of posts like this one - it seems "Tiger" is much more prone to corruption of the "NetInfo" database (where entries for user accounts among other things are stored) than "Panther" ever was, although I can't imagine why that would be...
  You didn't mention what type of reinstallation you performed but if the option to preserve user and network settings was selected, then it is likely that the "NetInfo" database is still corrupt (if that was the original problem). If that is the case, then recreating the account might not be the best idea at this time. Under normal circumstances however, when recreating an account with the same shortname as a previously deleted account for which a user folder still exists, the user will be presented with the option to use the existing folder so there should be no data loss. However, it is generally considered prudent to back up data if its loss is a concern.
  The output of this command, entered using "/Applications" > "Utilities" > "Terminal.app" might be informative if there is something grossly wrong with the user records in the "NetInfo" database:<pre>nidump passwd /</pre>Note that the output consists of user records (one per line), each consisting of several colon (:) delimited fields. If the second field for any user consists of anything other than "*" or "******", don't post those seemingly random characters because they could potentially be used to determine the password for that account - just substitute "x"s or something instead. I mention this because a 1.25 GHz PowerBook (as listed in your profile) may have shipped with Jaguar, which used the older, less secure method for storing passwords which might still be in use by some accounts if the computer was upgraded.
  Otherwise, you may want to skip all that and just go ahead and reset the "NetInfo" database to defaults (wiping out user records, etc. but not user data), though it will be 10.4 defaults, not 10.2 defaults...

• MARS 5.3 - Locate who/what is applying password reset on users account

  A users account within the AD is repeatedly being set to change password at next logon. How can I search for the cause in MARS or is this type of event not logged?

  For this example, username is BOB. open up notepad and type:
  642Security
  Where is the tab key. If you use a space, this won't work. Now ctrl-a to select all and ctrl-c to copy.
  Now create a query.
  query type = events ranked by time
  time range = whenever you think this happened
  keyword = AND BOB
  submit.

• Password policy and OEM

  So we have a password policy that automatically locks accounts on 3 attempts.
  When OEM sends a saved preferred credential to a database. it looks like it has several attempt before it prompts you via the login panel for the credentials.
  By the time you reach the login panel the account is already locked because it looks like OEM has had several attempts against the database already.
  So what we have is a situation where our password policy is out of sync with what OEM v 10 expects.
  The only way it works is if the DBA unlocks the account prior to my hitting login from the login screen.
  This is all because I've had to change my password ever 60 days and OEM has remembered my old password which now is no longer valid against the
  target database.
  Thoughts?

  If preferred credentials are specified, OEM uses those credentials and checks if the login can be performed with those credentials. But, if the saved preferred credentials are different from what the database is configured, we will run into the max_failed_attempts usecase.
  The same preferred credentials will be used by background jobs and so if the password is changed on the database without updating the preferred credentials, the account could be locked out quickly if there are any background jobs.
  Also, OEM provides command line scripts (emcli update_db_password) that can be used to update the password in the database as well as update the preferred credentials with the same password, which is the recommeded way to change password when they are used in preferred credentials.