tracking user logins

[Boyce, Nick]

On Wednesday, November 27, 2002, at 19:55  PM, Jim Morris wrote:

> I must say that I know of no NT/2000 option to allow only login from 
> one client PC, although I recall Netware having such an option.

Agreed again.  (I think you meant something different from the facility John
Terpestra referred to - on NT/2K you can specify which machines, perhaps
only one, that a user account can use, but you can't specify "Maximum number
of concurrent sessions"; on Netware you can do both.)

> Giving the growing presence of Samba in the large enterprise, with more 
> and more companies becoming security conscious as time goes forward, we 
> are going to hit these type issues more and more.

Mmm.  I've only *just* managed to demonstrate to the Powers-That-Be around
here the full horror of an unswitched LAN with unencrypted passwords and a
sniffer ... so _now_ changes are underway.   Password encryption *with*
failed login tallying *will* be part of security policy ..

> ... What is needed is an examination of the various 
> security policies that can be setup in an NT/2000 Server environment, 
> so that a list of such items that are appropriate to a Samba 
> environment can be built.  

I'd just like to add a vote for another item for this list - something which
can be done on Netware, VMS, and on some Unixen, but not NT/2K (AFAIK) -
allow a password expiry "grace" period to be configured if desired - a
period of time after a password has expired, during which a user account can
still login but is forced straight into a password-change dialog.  This
allows for those occasions when (e.g.) someone is away for a whole month,
during which their password expires.

> ...  I would be glad to help in this effort in any way I can, 
> including documentation and code.

Likewise, but only for documentation ..

Nick Boyce
EDS Southwest Solution Centre, Bristol, UK