Callis schrieb:
I haven't tested this yet (I noted it on my list!) but would assume that
when the WAN connection isn't available, there's no lockout for that
user. I don't think that the RODC caches this information locally. I
guess the user is able to try a wrong password multiple times without a
lockout.
Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.
Thanks for your response!
I beleive that the RODC indeed locks the account an updates the lockoutTime
attribute on itself, however since the WAN Link is down the lockout status
is not updated on any of the other DC's
But i am not sure if RODC will allow the user to login once the Lockout
Duration is expired
"Florian Frommherz [MVP]" <flo...@frickelsoft.DELETETHIS.net> wrote in
message news:upR8JUjj...@TK2MSFTNGP04.phx.gbl...
Rather surprised myself at the information presented in the following;
http://technet.microsoft.com/en-us/library/cc770854(WS.10).aspx
...and a little skeptical of it's accuracy...but...
>
> "Florian Frommherz [MVP]" <flo...@frickelsoft.DELETETHIS.net> wrote
> in message news:upR8JUjj...@TK2MSFTNGP04.phx.gbl...
>> Howdie!
>>
>> Callis schrieb:
>>> Assuming that a branch user has exceed the allowed login attempts
>>> and gets locked by the local RODC. The branch site has an RODC
>>> which caches the said user creds, however the WAN link connecting
>>> to the hub site is not available. Will the branch users be able to
>>> relogin after the account lockout duration expires?
>>
>> I haven't tested this yet (I noted it on my list!) but would assume
>> that when the WAN connection isn't available, there's no lockout for
>> that user. I don't think that the RODC caches this information
>> locally. I guess the user is able to try a wrong password multiple
>> times without a lockout. Cheers,
>> Florian
>> --
>> Microsoft MVP - Group Policy
>> eMail: prename [at] frickelsoft [dot] net.
>> blog: http://www.frickelsoft.net/blog.
>> ANY advice you get on the Newsgroups should be tested thoroughly in
>> your lab.
--
/kj
The lockout duration is replicated to the RODC, so it will allow the logon
after the lockout duration has expired. There is more info here:
http://technet.microsoft.com/en-us/library/dd736126(WS.10).aspx#BKMK_AcctLck
The topic that kj cites is also accurate.
Justin [MSFT]
Active Directory Documentation Team
"Callis" wrote:
> .
>
Thanks for the documentation accuracy confirmation Justin.
>
> Justin [MSFT]
> Active Directory Documentation Team
>
> "Callis" wrote:
>
>> Assuming that a branch user has exceed the allowed login attempts
>> and gets locked by the local RODC. The branch site has an RODC which
>> caches the said user creds, however the WAN link connecting to the
>> hub site is not available. Will the branch users be able to relogin
>> after the account lockout duration expires?
>>
>>
>> .
--
/kj