Home / server / Questions / 182406
Accepted
Skyhawk
Asked: 2010-09-18 13:51:47 +0800 CST

XP users can unlock screen after account lockout

  • 772

WinXP workstations on Server 2008 domain:

  1. User locks screen and leaves computer for a break.
  2. User forgets his/her password while away.
  3. User makes a series of invalid login attempts and his/her account is locked out. XP displays a dialog box warning the user that the lockout has occurred.
  4. User ignores dialog box and makes additional login attempts, suddenly remembering his/her correct password.
  5. Windows XP allows the user to unlock the screen with the correct password, despite that the user's account is now locked out on the domain controller(s).
  6. User eventually calls the help desk to complain about an inability to print or access network drives.

We were a bit shocked to discover that Windows is allowing users with locked-out accounts to unlock their screens, despite that it is hitting the domain controller with each authentication attempt and thus generating the lockout event.

Under the current scenario, it would seem that one could guess an unlimited number of passwords on any Windows XP station whose screen is locked. This is not desirable.

Is there a way to make Windows XP respect the account lockout and deny access until the account is unlocked?

windows windows-xp

3 Answers

  1. It's by design and looks rather logical. If users account are locked on domain controller, users cannot login with domain account anymore.

    But on the locked workstation, all authorization (since no attempts to access any resources, e.g. fileshare, which require a new domain credentials check) is performed by the local security system because the local system trusts such users (already checked and authorized by AD).

    So for this unlocked workstation security system, such users are still legal, but they are not able to access use any resource with domain authentication (printer/network drive) because account is locked already.

    • 7
  2. Best Answer

    Restricting cached credentials in Windows:

    To force the workstation to consult a domain controller when unlocking, set the Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Require Domain Controller authentication to unlock workstation" to Enabled.

    • 5

  3. Doesn't that just mean the local account lockout policy needs to be changed?

    Local Security Policy App

    (I can't post comments now. OK, thanks, I'll read them. Shall I delete this one, o ye noob stompers?)

    Seriously, upon reflection, I think this post was voted down as being too simple, and Sergey's was voted down for not being clear.

    • 1