From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Preston
Sent: Thursday, June 03, 2004 4:18 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Factory monitoring pcs - preventing Account lockout
I have a problem that I'm
sure the brainpower on this list can help. We're about to refresh the
hardware and upgrade from win2k to XP using an automated build process.
Vendor will swap out hardware, RIS a new image down, and SMS will take over to
install all the applications needed.
These pcs auto login
with a userid and launch a factory-floor monitoring application.
We have several factories to deal with, and currently we maintain hundreds of
ids to provide this functionality. By having all these accounts we
limit the risk of an account being locked out (has happened before) and
preventing crucial monitoring stations to work. The applications are
read-only to network resources and are in a very locked down
environment.
The PCS reside on a
Win2ksp4 domain, and the current domain policy locks after x attempts, and
resets after xxx minutes. What we would like to do is use two
accounts at each factory, but to prevent locking all the PCs at each location,
we would need to relax the domain policy of lockouts after xx attempts.
Having a smaller number of accounts to manage makes the deployment system much
simpler to accomplish.
Is this in the realm of
possibility without needing to purchase new hardware, for example to create a
child domain)?
I'm sure these questions
may spark some concerns - and I'm interested in this feedback as
well.
Thanks
all!
Rob
Presson
