Originally Posted By: NTDOC
Oh I see that based on at least a couple responses here and the desire to create code around it.

I'm just saying that I think Management or someone else is/was in charge of setting that lockout duration. Maybe you're Company is somehow under attack from hacking tools or users inside (often the case that an insider is the one doing the attack than outsider) and that is the reason for having a lockout so that you can't automate a tool against an account in that manner (there or other methods). But in a very large network of 140K desktops and 4K+ Servers we never had an account cracked on NT that we were aware of. Yes we have caught people inside using tools to attack accounts (again a reasonable lockout duration puts a big damper on that). We also found Admins copying the security databases and trying to crack them (no duration lockout will thwart that). We did have all types of attacks "attempted" from outside but none of them hacked a NT account. We did have a couple of FTP accounts on Linux hacked though one of which also lead to root take over. On a different subject - Web attacks on Windows boxes have been more successful than most other methods.

So I still have to ask WHY!!! I just see it as adding a layer of un-needed support on one end to open it back up, and also creating a non productive user for anywhere from an hour to a day or more???

My view is that we as IT Professionals are here to ENABLE users not CONTROL users.


I am currently working at my second financial institutions as an Admin and in both settings, there has no been a setting to unlock the account after a certain time period. The user HAS to call in to get their account unlocked.

Both places I have screamed until I am blue in the face about this, it is probably costing you more in salary and productivity not to set this setting. Think about it, the productivity lost of the user who is locked out and also the productivity the helpdesk user taking the call and from other issues.

I believe Management sees this as another potential way to safe guard and potentially save a buck. By having users call in to get unlocked they can potentially skip other costs somewhere else. Maybe cheaper security equipment, etc.

To me, you should either set the setting to allow it to unlock after a certain amount of time or to purchase a product where the user can unlock themselves.