Re: Active Directory Password Strength

["Cary, Kim" <Kim.Cary () PEPPERDINE EDU>]

Outstanding comment Russell -- locking out unused accounts is very helpful.
The problem we've had in the past (NT4 Domain) is that some 'domain
accounts' do not show up as having logged in (from the domain admins POV)
because they never log in to the domain directly. They are quite active with
LDAP binds, Exchange POP logins, etc. which are back ended to the domain.
While the Domain 'bad attempt lockout' policy applies to these various
logins, admins could not find a central place to see 'account activity'. Is
there a central place under AD where you can find that a successful
authentication has taken place from ANY client against the domain
credentials?


On 11/15/05 9:00 PM, "SECURITY automatic digest system"
<LISTSERV () LISTSERV EDUCAUSE EDU> wrote:

> Date:    Wed, 16 Nov 2005 10:58:14 +1300
> From:    Russell Fulton <r.fulton () AUCKLAND AC NZ>
> Subject: Re: Active Directory Password Strength
>
> One thing I think is more important than frequent changes of password is
> to automatically disable accounts that have not been used for some
> extended period of time. There will need to be exceptions but for the
> most part disabling accounts that have not been used for 3 months is a
> good idea.  Don't delete anything at this stage just disable the access.