Printable View
Hey everybody ,
I have a question about unlocking a user account.
when i misstype my password the account gets locked and only the administrator can unlock it.
what i want to know is if there is a way to unlock the account but not with the admin's user.
can the admin provide other users the option to unlock accounts that got locked , and if so how do we do it ?
Thanks a lot !
Ron
If it's a Win2000Pro or XP Pro box. The Admin sets this as a policy to prevent brute force attacks and dictionary attacks. After an X number of attempts it will lock you out. Unless the admin gives you specific permission to unlock accounts you are SOL so to speak. You can ask him to set it at 3 attempts before it locks you out and to change the duration. More than likely he won't though. Most companies have it set in stone.
I really am not sure about this but GENERALLY, admins are the ONLY one who has access to Account Policies.. and the setting of accounts being locked is in the Account Policies.. which means only the admin can unlock those locked accounts.. Unless he makes another user who has thesame administrative rights as the administrator account...
In Windows 2000, all users in the Administrators group have access to policies and accounts (and can therefore unlock user accounts), so simply adding someone to the Administrators group would give them this privilege (plus a whole host of others, like shutting down, changing which services are running, deleting / creating / modifying user accounts, setting up file shares, changing NTFS security permissions etc.)
Use with extreme caution!
By default, most account-locking policies have it set for 3 incorrect passwords before it locks the account. Some have pretty strict rules such as even hitting enter will count as a password. As for linux/unix, once an account is locked, just like the guys said about Winblows, you're pretty much up the creek without a paddle as only the sysadm can save your sorry @$$ at that point. There could be some ways around it (sudo w/ nopassword option set for a script set on an account that has no home and has this script set as the shell, asking for input for a username but this is by no means secure in the slightest and it defeats the purpose of having locked accounts) but none of them are any good at all.
in order to unlock accounts, the admin can give you access rights to user manager. from there you can unlock accounts. however, if it is your own account that is locked out then that will not help you much since you need to be logged in to get to user manager. also, i highly doubt that the admin would be will to give you user manager access since from there you can alter other accounts, accidentally delete profiles, etc. unfortunatley, i am in charge of user level support here where i work. i must waste at least an hour or two a day unlocking peoples accounts. yes it would be less of an annoyance to both user and myself if they could just unlock themselves, but i realize how much of a security risk this is. i will not even change a users password until they come to me and show me photo id. my point is, just try hard to get your password correct the first time. spend an extra second to make sure the caps lock is not on, etc. it will make both you and your admin happy :D
the thing is that we want to create a group of people who will be able to unlock accounts.
Well, have a group of people added to the Administrators group, or, have a group created with just enough privileges to unlock accounts, but not to make other changes to the servers, then add selected people to that group.
you can create a group with admin rights as the user account control group or such and give them shortcuts to the user manager on your server, this is assuming you are running a m$ server of course. you can create the group from the admin template but then just limit and restrict other rights that you do not want to them to have access to. not hard at all. you just have to be careful. just fire up the gpedit.msc from the server and configure the group.
cactos> What operating system are you using? This is EXTREAMLY important with your question. Are you running Win 2k/xp? Linux? Solaris? Novell? BSD? What? We can't help you unless you tell us more details. What you want to do can be done, but I am not going to go through and explain how to do this under 5 different OS's, just because you didn't ask the question properly.
i'm talking about windows NT 4 , or Win2K.
can you guys be more specific about what premisions should i give ?
well.. to be specific enough.. you could give them the permission to use the account policies..
or better yet... try this..make an account that is solely used for unlocking.. and let them use it incase they get locked out.. remember its useless giving them rights to unlock themselves if they cant get log on in the first place..
give that account the right to access user policies.. or was that account policies... i dont remember.. but then the person you should ask is Matty_Cross.. he's a network engineer.. im just a network manager/administrator he knows more than i do
have you/your admin ever thought about setting a timeout on locking. I know in NT4 domains that it's possible. I was so tired of being called at 3:00am because some idiot had the caps lock key on and locked themselves out, so I added a 1 hour timeout (you can make it faster) and the account will unlock itself (actually the system account does the unlocking, but you know what I mean).
Have your admin put a timeout in there so you can get back in, you just have to wait.
As far as I understand, the lockout thing was put there to thwart unauthorized access attempts and would 1) make sure that a hacker or unscrupulous employee wouldn't be able to access that account after it's locked 2) give an easy record of which accounts are being tried on a consistent basis.
Only one try on the password seems a little harsh, brute force would be just a useless with 1 try as it would be with 3. Being the admin on that network must suck your whole job would just be reactivating people’s accounts.
in 2k just use Account Operator built security group in AD...allows access to account functions without additional elevated privledges..think you can do something like this in NT as well...beware though...AO's can modify, add or delete most all account info...
failing that a 15 minute timeout can work
Okay guys !!
Thank you very very much - you have been very helpfull and threfore i'll try to ask another thing with unlocking:
when a user press CTRL,ALT,DEL and locks he's account the msg on the screen says:
"the computer was locked by XXX and it can only be unlocked be user XXX or an adminisrator"
my question:
can it be unlocked by another user (not an admin) ? and how do i give someone the premissons to unlock a workstation ?
Thanks a lot !
Ron
Only the current logged in user, or any member of the Administrators group, can unlock a workstation when it's Ctrl. Alt. Delete Locked.
hey guys im just a newbie and all but i was looking for ways to tweak up my pc the other day well i cut and pasted this so i would have it after i upgrade sorry tho i cant remember where i got it but it might help and it might not you decide..............To display the Administrator (master: Admin/Sysadmin) account on the Windows XP Welcome logon screen, fire up Regedit (or Regedt32) and go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Create (if not present) a new Value: right-click on an empty spot in the right hand pane -> select New -> DWORD [REG_DWORD] Value -> name it Administrator -> click OK -> double-click on it -> check the Decimal box -> type 1 -> click OK.
Modify (if present) the "Administrator" DWORD [REG_DWORD] Value: highlight it in the right hand pane -> select Modify -> check the Decimal box -> type 1 -> click OK.
Close the Registry Editor when done.
From now on, whenever you logon as Admin/Sysadmin [ONLY IF you have administrator rights to the computer you're trying to boot into :)] you'll see the Administrator account on the Welcome display. well now maybe this just changes the cosmetics on youre pc i dont know because i still got me but it sounds to me like an interesting little something even if its not any use to you.
This happened to me at college, but so long as the network is secured by sensible admins, then only the admins will be able to unlock any accounts. Usually three incorrect logins in one go will lock your account automatically (some idiots deliberately tried three different passwords just to lock my account! :mad:), although some admins may set this number higher, lower, or even turn it off altogether.Quote:
Originally posted here by cactos
Hey everybody ,
I have a question about unlocking a user account.
when i misstype my password the account gets locked and only the administrator can unlock it.
what i want to know is if there is a way to unlock the account but not with the admin's user.
can the admin provide other users the option to unlock accounts that got locked , and if so how do we do it ?
Thanks a lot !
Ron
Admins can provide other users with the option to unlock accounts, they'd just have to give you some of their priviledges first, which they might not want to do. I don't know whether the ability to unlock accounts can be granted specifically, as I'm not an expert with Win2k or XP, but I imagine you'd get some other priviledges as well.
Hope this helps. :D