On Jan 24 17:16, Stefan Baur wrote:
> Am 24.01.19 um 16:59 schrieb Corinna Vinschen:
> > I think refusing an account manually and deliberately disabled by an
> > admin makes lots of sense.
> > 
> > I'm not so sure about locked out accounts.  THis might need some
> > discussion.
> 
> It's been a while since I did Windows administration, so I can't really
> make a recommendation here ... BUT:
> 
> If an admin can lock out an account (separately from disabling it
> entirely), say, by setting an initial password, checking the "user must
> change password on first login", and also checking "user is not allowed
> to change password" simultaneously (if that's possible), or, say, by
> just setting a random password without telling it to anyone ever,
> followed by firing so many login attempts at the account that it gets
> locked out, then telling them apart and treating locked out accounts
> differently would make sense, IMO.

This description sounds extremly artificial to me.  We should work under
the assumption that the admin is the good guy.  Usually a user locks
itself out, or is locked out by a malicious login attempt.  The admin
can only define rules for locking out, other than that she can only
remove the "account locked" flag.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer