The badPwdCount attribute keeps a running total of the number of bad
password attempts for a user account in ADAM. The value of the
attribute changes as shown below:
- Start = 0
- First wrong password attempt = 1
- Second wrong attempt = 2
- Correct password = 2
- Correct password = 2
.....
- Correct password = 2
- Third wrong attempt = 1
As you can see, the value is not reset when the correct password is
provided. It is only reset when the next bad password is entered.
i.e. once the value has been set it will never return to 0.
This behaviour is impacted by the account policy setting "Reset account
lockout after". If this value is 1 hour, any bad password attempts
within a 1 hour interval will be cumulative, even if one or more valid
passwords are provided during that time. For example, if the following
attempts were all provided inside a 1 hour period:
- Start = 0
- First wrong attempt = 1
- Second wrong attempt = 2
- Correct password = 2
- Correct password = 2
.....
- Correct password = 2
- Third wrong attempt = 3
This behaviour is creating issues in our environment (we have an
account lockout policy of 6 wrong passwords and a reset account lockout
period of 5 hours). As an example: a user enters the wrong password
too many times and locks out their account. They call the help desk to
have the password reset, but if they get their new password wrong just
once more in the next 5 hours their user account will once again be
locked. Can this behaviour be changed somehow? Once a user account is
unlocked by an administrator (by resetting the password) i want the
badPwdCount attribute to be effectively set to 0 so that the user has
another 6 wrong password attempts up their sleeve before once again
locking out their account.
Any ideas would be really appreciated.
Thanks, Hinch.
|