Hello MS gurus,
We're looking to ease lockout issues at work. We found a comment on an Educause's list serve (here: http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind1409&L=SECURITY&T=0&F=&S=&P=2706) that makes it sound like enabling password history prevents a user from locking their account when they attempt to authenticate with an old password repeatedly. This is regardless of the bad password account lockout threshold setting. We appreciate this idea because then user accounts won't be locked out when they've stuffed things like exchange passwords into their mobile devices and don't remember doing so.
We've found that this seems true when authenticating with kerberos (tested by repeating old password while attempting to log into Windows 7 client), but when we authenticate through ldap the account locks out after the specified number in the lockout threshold.
Why is this? Can someone point me in a direction to make ldap auth respect that active directory domain policy setting?
Our domain is currently Server 2008 R2 Functionality level.
Thanks,
Matt