Password Changes and Exchange Activesync AD lockouts

active-directory windows-server-2008-r2 exchange-2010 password
5,495

There is no good way to do this. You have a few options (that aren't really solutions as they don't fix the actual problem) that will allow you to reduce the fallout from this, but none of these will completely solve the issue. Here is what we've narrowed it down to, and what we ultimately resort to, in our organization:

A) Increase the threshold of invalid attempts; we like to keep ours pretty high (50 right now) as some people might not check their phone for an extended period (say 4-8 hours or more) of time and while we can't guarantee that they will check it before the threshold locks them out, we can at least try to increase the amount of time they have before they do get locked by having a high lockout threshold.

B) Set up a script (VB or PowerShell) that emails users warning them that their passwords are about to expire; you can also include a reminder in this email that they will need to change the password on their phones once they change it on their computers. Again, this method only partially works as I'm sure you can guess. I'd be happy to provide you the PowerShell code I've used to do this if you'd like, just let me know.

C) Exclude the group of users who use EAS from the lockout policy; This defeats the whole purpose of the lockout policy and is a great security risk so it isn't something I'd recommend, but nevertheless it is a workaround/option.

Apparently TMG 2010 SP2 and above now has an account lockout feature per this, but if you're not using TMG then that is irrelevant.

Share:
5,495

Related videos on Youtube

tekuser
Author by

tekuser

Updated on September 18, 2022

Comments

  • tekuser
    tekuser over 1 year

    Not sure how others are doing this but the main issue we are having arises when a user changes their password on a PC. When they change it the ActiveSync on the phone does not update automatically. It will try to authenticate with the old password and lockout the user after three tries. What are options to address this issue?

    • Mathias R. Jessen
      Mathias R. Jessen almost 10 years
      Increase the account lockout threshold significantly (ie. 50 or so attempts), as well as the lockout duration proportionally. This way the user will have more time to update the ActiveSync device, and the longitudinal efficiency of bruteforce attempts is unaltered
    • Admin
      Admin almost 10 years
      What phones are you using? I know that we do not get this lockout effect on iPhones and Windows Mobiles but have seen it occur on some of our android devices we use with ActiveSync
    • tekuser
      tekuser almost 10 years
      anybody using certificates to do this? any info on how to set this up with certs to address this issue
    • Brad Bouchard
      Brad Bouchard almost 10 years
      What version of iOS and Android are these users spread out on?
  • Daniel
    Daniel almost 10 years
    As Brad already said, C is the worst solution you can choose. A is something I would not consider. I know it's tough, but user awareness is mandoatory in a secure it environment. Security is meant to be complicated. If users want to be lazy, they should not use a workplace where security matters. Distilled: push user awareness

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Exchange 2010 don't see its PDC (same machine)
Password Policy seems to be ignored for new Domain on Windows Server 2008 R2
Removing old Active Directory DNS records after IP change
AD User Passwords expiring without any notifications?
netbios domain rename
Find out when user was added to Exchange 2010 distribution group
Joining an Active Directory domain using netdom
Active Directory users unable to change passwords [SSSD]
Is there any way to query a list of users who can access a VPN connection in Windows Server 2008 R2
Lync server 2010 Active Directory Preparation with a Windows Server 2003 DC