+ Reply to Thread
Results 1 to 15 of 15
  1. Junior Member
    Join Date
    May 2006
    Posts
    13

    Certifications
    A+, Network +, MCP(270) and passed CCNA INTRO
    #1

    Default Enable/disable vs. lock/unlock account

    What are the differences and effects of disabling an account compared to locking an account? Trying to differentiate between the two. Thanks
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Nov 2005
    Location
    Birmingham, AL
    Posts
    1,088
    #2
    Enable/disable is like putting the light bulb in the socket or pulling it out. Locking and unlocking is like turning the light on and off.

    If you disable an account it won't work period. Doesn't matter what they have access to, whether or not the account is locked out, of if they've taken a bath. It simply won't work until you enable it (screw in the light bulb -> You can flip the switch on or off but without the lightbulb being screwed in, it won't work)

    An account locked out is typically only when someone has tried the password too many times or there have been too many failed attempts at authentication. Just unlock the account and they are good to go. (light bulb is in the socket, now just turn the switch on).
    Reply With Quote Quote  

  4. Johan Hiemstra Forum Admin Webmaster's Avatar
    Join Date
    Jun 2002
    Location
    52n31, 6e06
    Posts
    10,383
    Blog Entries
    3

    Certifications
    MCSE NT4 MCSA 2000/2003 Security+ (expired: CWNA, CNA, CCNA)
    #3
    You can manually disable and account, so it cannot be used for logon purposes, but locking occurs automatically when a user exceeds the maximum number of logon attempts (by submitting incorrect passwords).

    Edit:
    <-- types slowly
    Reply With Quote Quote  

  5. Junior Member
    Join Date
    May 2006
    Posts
    13

    Certifications
    A+, Network +, MCP(270) and passed CCNA INTRO
    #4
    ok catching on. So lock out is caused by a trigger(such as invalid log on attempts) where as disabling an account is a admin function. Can an admin Lock an account?
    Reply With Quote Quote  

  6. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #5
    Quote Originally Posted by Wodan
    ok catching on. So lock out is caused by a trigger(such as invalid log on attempts) where as disabling an account is a admin function. Can an admin Lock an account?
    Nope. An admin can disable an account, but not lock. As mentioned, lockouts occur when the preconfigured number of failed login attempts is met.
    Reply With Quote Quote  

  7. Johan Hiemstra Forum Admin Webmaster's Avatar
    Join Date
    Jun 2002
    Location
    52n31, 6e06
    Posts
    10,383
    Blog Entries
    3

    Certifications
    MCSE NT4 MCSA 2000/2003 Security+ (expired: CWNA, CNA, CCNA)
    #6
    Quote Originally Posted by Wodan
    Can an admin Lock an account?
    The locked option on the account properties is a check box that can only be 'unchecked' to unlock the account. If the account is not locked (by exceeding login attempts) the check box will be disabled, hence you cannot 'enable the lock'. So an admin would use the disable account option instead.
    Reply With Quote Quote  

  8. Sie
    Sie is offline
    Running on caffine
    Join Date
    Dec 2005
    Location
    England, UK
    Posts
    1,207

    Certifications
    ADITP (Advanced Diploma for IT Practitioners) & MCSA (70-270, 70-290, 70-291, 70-299) | Currently working towards C|EH
    #7
    Nope. An admin can disable an account, but not lock. As mentioned, lockouts occur when the preconfigured number of failed login attempts is met.
    Technically an Admin can lock an account but there is no reason/situation why they would do this.

    As mentioned above lock out is normally from a trigger.

    Disable is used when an account is not needed (rather than deleting) or not going to be used for a long period of time.

    [Edit - Types slower than webmaster]
    Reply With Quote Quote  

  9. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #8
    Quote Originally Posted by Sie
    Nope. An admin can disable an account, but not lock. As mentioned, lockouts occur when the preconfigured number of failed login attempts is met.
    Technically an Admin can lock an account but there is no reason/situation why they would do this.

    As mentioned above lock out is normally from a trigger.

    Disable is used when an account is not needed (rather than deleting) or not going to be used for a long period of time.
    No, technically he can't. There is no option for that, he can disable - not lock.

    On the other hand, technically, anyone can lock anyone's account. I'll just try to log in as user:Sie several times with incorrect passwords. That will lock you out. But that doesn't take an admin, just a low tech DOS attack.
    Reply With Quote Quote  

  10. SWM
    SWM is offline
    Senior Member SWM's Avatar
    Join Date
    May 2006
    Location
    Australia
    Posts
    293

    Certifications
    MCSE 2003, MCITP 2008, MCTS Vista, MCTS SBS2008, Blackberry Certified Server Specialist
    #9
    I was asked to immediatley prevent a user from accessing a W2003 domain network by my boss as the user had been sacked. My boss wanted to prevent the user deleting files etc etc.

    I disabled the account in "AD users and computers" and then in Computer managment, Sessions right mouse clicked and selected "close session". I assumed that this would prevent access. But be warned the user was still able to open files on the server, access Outlook and emails in exchange, send receive email etc. Once she logged off the account was disabled but i was amazed that even though the Domain controller had no record of a active session it still allowed access to the server.

    I remember back with Novell 3.12/4.11 that if the Admin hit "del" on a users session, they where dead in the water.

    Food for thought and beware

    Stephen
    Reply With Quote Quote  

  11. Sie
    Sie is offline
    Running on caffine
    Join Date
    Dec 2005
    Location
    England, UK
    Posts
    1,207

    Certifications
    ADITP (Advanced Diploma for IT Practitioners) & MCSA (70-270, 70-290, 70-291, 70-299) | Currently working towards C|EH
    #10
    Quote Originally Posted by sprkymrk
    No, technically he can't. There is no option for that, he can disable - not lock.

    On the other hand, technically, anyone can lock anyone's account. I'll just try to log in as user:Sie several times with incorrect passwords. That will lock you out. But that doesn't take an admin, just a low tech DOS attack.
    Depends what your using to administer the accounts, Granted you cannot "tick" the unlock account check box to "lock" someones account within AD Users & Comps but some of the admins where i work use Bindview to administrate and you can lock from there.

    I wrote my answer before checking what context / application we were talking about doing this from, plus it wouldnt be asked about in a M$ exam as it is third party software.

    So to clarify after my confusion, admins cannot lock an account without using the addition of a third party application.
    Reply With Quote Quote  

  12. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #11
    Yes, you've got. From an MS (and test) point of view you cannot "lock" an account. There is third party software that may use the term "lock", but I don't know without seeing it if it's actually "locking" their account or disabling it from an ADUC point of view.
    Reply With Quote Quote  

  13. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #12
    Quote Originally Posted by SWM
    I was asked to immediatley prevent a user from accessing a W2003 domain network by my boss as the user had been sacked. My boss wanted to prevent the user deleting files etc etc.

    I disabled the account in "AD users and computers" and then in Computer managment, Sessions right mouse clicked and selected "close session". I assumed that this would prevent access. But be warned the user was still able to open files on the server, access Outlook and emails in exchange, send receive email etc. Once she logged off the account was disabled but i was amazed that even though the Domain controller had no record of a active session it still allowed access to the server.

    Stephen
    There are a couple of things you can do here, which I have done on the few occasions where a user has been let go and the account needs to be disabled immediately.

    The main things I do after disabling their account are as follows:
    1. Force a log off - not just close their sessions, but actually force a logoff from their computer remotely. You can do this with the "shutdown.exe" command or within Computer Management. That gets them off the network "right now".
    2. Remove the user account from all group memberships.
    3. Remove the user account from explicit permissions on their home share.
    4. Using Exchange 5.5 (this is probably not necessary in E2K or higher) remove the user account from the mailbox permissions.
    5. This step needs to be done in advance, but you can set the "Number of previous logons to cache" to 0, instead of the default 10. This way they cannot unplug the LAN cable from their workstation and log in with a cached profile to access stuff on the local computer.

    Hope that helps. Take care!
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Nov 2005
    Location
    Birmingham, AL
    Posts
    1,088
    #13
    Back in the old NT 4 days an Admin could lock someone out; and sometimes it serves as good punishment for someone being an ass to the IT dept.
    Reply With Quote Quote  

  15. Sie
    Sie is offline
    Running on caffine
    Join Date
    Dec 2005
    Location
    England, UK
    Posts
    1,207

    Certifications
    ADITP (Advanced Diploma for IT Practitioners) & MCSA (70-270, 70-290, 70-291, 70-299) | Currently working towards C|EH
    #14
    Try an OU of Doom within 2003.

    OU with Extreme Group policies in effect.

    They be an ass chuck their comp and user id in the OU of DOom for a few weeks see how they quiet down after!
    Reply With Quote Quote  

  16. SWM
    SWM is offline
    Senior Member SWM's Avatar
    Join Date
    May 2006
    Location
    Australia
    Posts
    293

    Certifications
    MCSE 2003, MCITP 2008, MCTS Vista, MCTS SBS2008, Blackberry Certified Server Specialist
    #15
    Thanks for the reply's. I think the OU of DOOM is the winner.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks