Hello,
trying to authenticate my users against active directory in an
webservice. Webservice is on an Win2K3 Domaincontroller for testing
purposes. Therefore I have checked two methods:
1. I use the system.directoryservice method, with "LDAP" search path,
username, userpass.
2. I use the LogonUser function in lib advapi32.dll.
My domain policy says, that the useraccount will be locked after three
wrong passwords. Also I set, that the users password may not repeated
in 24 password cycles.
With both methods i can check username and password. Both Methods
working well for me.
Supplying a wrong password will increase badPwdCount property in active
directory and after the third wrong password the account is locked.
But, I tested this behavior also with old, previous used user
passwords. If I send an old user password the counter badPwdCount will
not increased and so, the user will never be locked.
Is this by design or a bug? I'am asking, because I expected if a user
takes a wrong password, he will take one of his old passwords and not
an totally different, wrong password.
BTW: It seemed, that the badPwdCounter is readonly. I can't set it
manually.
Thanks ahead,
Carsten
|
Similar Threads
