[cifs-protocol] 113120511001670] Has Password history check (N-2) gone away in 2012R2?
Edgar Olougouna
edgaro at microsoft.com
Sun Dec 8 20:25:16 MST 2013
Andrew,
The mentioned feature remains the same. I have confirmed with the product group that the behavior has not changed.
We do not see any change of behavior to the group policy settings "Enforce Password History", "Allow log on locally" and the related.
Here are Windows to Windows configuration and repro steps for comparison and verification with your Samba's test case if needed.
Configuration
1) Create a user ‘u1’ with initial password ‘FooBar1.’
2) Configure account lockout
a. Threshold: 3 attempts
b. Duration: 30 mins
c. Lockout counter: 30 mins
3) Configure “Allow log on locally” by adding ‘u1’ to the list
Repro steps
1) Use net.exe to change u1’s password.
a. Net user u1 FooBar2.
b. Net user u1 FooBar3.
At this point, u1’s password is FooBar3.
2) Logon in the UI using ‘u1’ and providing an old password (FooBar1.)
3) Logon four times.
4) u1 does not get locked out. Each login fails with incorrect password.
5) Change u1’s password again: net user u1 FooBar4.
6) Repeat steps 2-3 (again providing password FooBar1.).
7) On the fourth time, logon fails with account locked out as expected.
Thanks,
Edgar
-----Original Message-----
From: Edgar Olougouna
Sent: Thursday, December 5, 2013 8:51 AM
To: Andrew Bartlett
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: RE: 113120511001670] Has Password history check (N-2) gone away in 2012R2?
Andrew,
I will investigate this and follow-up.
Thanks,
Edgar
-----Original Message-----
From: Tarun Chopra
Sent: Thursday, December 5, 2013 2:04 AM
To: Andrew Bartlett
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: [RE:113120511001670] Has Password history check (N-2) gone away in 2012R2?
Hello Andrew :
Thank you for contacting Microsoft Support. We have a created a case to track your inquiry and a support engineer will be in touch to assist further.
Thanks
Tarun
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, December 4, 2013 8:03 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Has Password history check (N-2) gone away in 2012R2?
I've been updating our rpc.samr.passwords.badpwdcount test.
My servers were both installed from scratch, with defaults etc. Of course, or own tests or even policies may have changed things - we do try and set up password history in our tests however.
What I've noticed is that the 'Password history check (N-2)' check described here, doesn't seem to work any more:
http://msdn.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx
Before I dig further, can you confirm it is expected to remain a feature?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list