Account lockout policy + Logon screen = Many locked accounts

[George Valkov]

When the logon screen is shown, it will try to logon as every single user,
with (blank password I gues). When You click on a user, it will first try to
logon without a password and if the user is password protected, it will ask
for Your password.

1. Try to count how many times You need to click on a user to lock it out if
the Account lockout policy is set to 3 invalid attempts...

2. Try to imagine what happens when You have all of the users lock out for 2
hours (exept for the built in administrator who can't logon, because if
there is another user logged on and disconnected, pressing Ctrl+Alt+Delete
twice has no function).

Life could be better, don't You think?



George Valkov

 

[Roger Abell]

Lockout is recommened to have a threshold of no less than 5 bad
attempts with a counter reset interval of less than 90 minutes in order
to avoid the Welcome screen lockout issue.
Various MS docs have recently recommended 10 as the minimum
for the bad attempt count. However, I had thought that the Welcome
screen issue was addressed with SP1.

The default, or any admin, does not need to log in in order to unlock
a locked machine. It or the account that has the machine locked can
unlock the machine (when done by an admin that is not the locking
account that account is logged off).

alt-cntrl-del-del brings up the old login screen
This login screen is only available when there is no account already
logged into the machine (i.e not when the Welcome screen is being
displayed due to a switched out account login)