[Pauldotcom] Interesting finding on locked accounts in ADS
lyematt at gmail.com
Mon Oct 5 01:19:58 UTC 2009
In regard to local access it would be the normal access rights the user had
on the local machine, unless there was a change in group policy that
restricted that based on the access to ADS to authenticate actions.
Interesting find, but I'm not sure how you would avoid that without alot of
You can do anything you set your mind to when you have vision,
determination, and and endless supply of expendable labor.
<No tree's were harmed during this transmission. However, a great number of
electrons were terribly inconvenienced>
On Mon, Oct 5, 2009 at 11:00 AM, Jody & Jennifer McCluggage <
j2mccluggage at adelphia.net> wrote:
> If using cached credentials (e.g. offline) the account lockout does not
> go into effect. You still need the correct username and password. I don’t
> know if there is a way to change this behavior. I believe some of the newer
> versions of Windows also implement varying length of delays after so many
> failed attempts.
> I believe that is by design (rightly or wrongly). The thinking is that if
> the boss takes his notebook home with him, you may not want him to be able
> to accidently lock himself out of his machine. Depending upon the policy in
> place that lock-out could last until the administrator unlocks it and of
> course the administrator is not available offline (I always thought that
> permanent lock out was a bit extreme. 5 - 15 minute lock out is usually
> sufficient under most circumstances to defeat a brute-force attack and does
> not require an administrator to unlock.)
> *From:* pauldotcom-bounces at mail.pauldotcom.com [mailto:
> pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *Adrian Crenshaw
> *Sent:* Sunday, October 04, 2009 1:28 PM
> *To:* PaulDotCom Security Weekly Mailing List
> *Subject:* [Pauldotcom] Interesting finding on locked accounts in ADS
> I just found out something interesting by accident. It seems that if an
> account is logged in to a box, but the box is locked, you can not unlock it
> with a locked account (too many bad password attempts I think). However, if
> you pull the network connection so it has to use cached credentials it will
> let you right in, then you can reconnect the network cable. I'm not sure if
> it would work if the user was logged out, but if someone could test and let
> us know that would be cool. Seems like an interesting oversight.
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.409 / Virus Database: 270.14.3/2413 - Release Date: 10/04/09
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pauldotcom