Friday, April 28, 2006

Password Policies on Disconnected Systems

Another great post from Jesper's blog, regarding what password policies are not enforced when a system is not connected to the domain:

Some Password Policy Settings Are Not Enforced When Disconnected

My first thought when hearing the topic was, "how can they ignore password expiration and account lockouts when disconnected?" After reading the explanation, however, I realize it couldn't be done any other way. Both of these policies would make it extremely difficult for mobile users to function if they were applied when the user is disconnected.

It's not that the policies are that much worse for mobile users (although Jesper recommends against account lockout policies anyway); the problem is the hoops that must be jumped through if someone runs afoul of one of these policies while away from the domain, or away from an internet connection entirely.

The concept that a user will have to log in to a VPN in order to reset their expired password is bad enough. I could see this being a huge issue for my mobile users, and for myself as well.

But even worse is the account lockout policy. If a laptop could be locked out by entering in the wrong password too many times, the only recourse would be to reconnect the laptop to your network to accept the re-enabling of the account. No VPN shortcuts either; the computer would actually have to be connected for this to work. Imagine having a company based on the U.S., and having a user lock themselves out while traveling overseas! What do they do, ship the laptop back to the States?

Thankfully, Microsoft has insightful people like Jesper who consider these issues before they become a problem.


Post a Comment

Links to this post:

Create a Link

<< Home