Hi,
There is a customer who is requesting to disable the Account Lockout Policy on GPO based on the situation.
There are around 1000 users and 20% are mobile users who are always roaming around and using multiple devices such as iPad, iPhone, Android Device, etc...
There is a GPO for Password Expiry and Account Lockout so whenever their password expires their accounts keep getting locked out unless they update the password on all of the devices which they are using to connect to domain services which is causing inconvenience to everyone.
One of the Microsoft Partner suggested the following.
1 - Disable the Policy for Account Lockouts so there shouldn't be any policy to lock out accounts if there are invalid logon attempts.
(The consultant also mentioned a reason for this option he says if someone attempts DHA Attack / tries invalid logon attempts using a script or so it will lock out all the accounts on AD thus causing loss of productivity)
2 - Implement a monitoring / alerting solution to alert on multiple invalid logon attempts within the specified time range.
I wonder if this is the best practice recommended by experts and also which tool to use for alerting on invalid logon attempts anything from Microsoft line of products, please suggest.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified