Sign in with
Sign up | Sign in
Your question

User account security in domain environment

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
December 13, 2004 2:33:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi everyone

I've got a questions, I hope that someone could provide an answer.

Q:
A service runs under a domain user account.
The user account gets locked, but the service is still running.
The service performs file access to various files on the network on a
variety on Windows based servers with NTFS permissions.

Will the service (which is still running) be denied access to files after
some time due to the account lockout status ?

Thanks
Anonymous
a b 8 Security
December 14, 2004 3:51:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If the service is connected to remote computers at the time the account is
locked out it can stay connected for a period of time. The time will depend
on how much time is left in the session ticket I believe. The service will
not be able to make "new" connections to remote computers because
authentication will fail. Account lockout may not be a good idea in your
case if you use domain accounts for services. If you enforce complex
passwords in your domain with a password length of say eight characters,
have a properly configured firewall, and a good policy to prevent malware
[email scanning etc.] , account lockout may be of less value for you and a
possible DOS situation. --- Steve


"Liran Zamir" <LiranZamir@discussions.microsoft.com> wrote in message
news:4E4DA48D-0FB6-4843-AEFF-B384FE22DAE6@microsoft.com...
> Hi everyone
>
> I've got a questions, I hope that someone could provide an answer.
>
> Q:
> A service runs under a domain user account.
> The user account gets locked, but the service is still running.
> The service performs file access to various files on the network on a
> variety on Windows based servers with NTFS permissions.
>
> Will the service (which is still running) be denied access to files after
> some time due to the account lockout status ?
>
> Thanks
>
!