I’m posting this here as a last resort. All other wells are dry. I’m out of ideas.
Attention SDMB Techies! I’ve got a problem to solve at work and resolution is eluding me. I’ve scoured Micro$oft’s tech pages and Googled until my fingers were raw, but I can’t find a way to do what I want to do. First a bit of background…
[GeekSpeak]
I have implemented a web-based tool which allows users to reset their password or unlock their account (Win2K Active Directory, XP Clients). I’ve got an AD account I’m using as a service account - users can log on anywhere, including their own machine, using this account. I’ve applied a Used-Defined Group Policy to this account which, upon logon, launches the Password Reset Page in Kiosk mode, prevents users from closing IE, and only allows Log Off when they CTRL+ALT+DEL. I’ve applied several other sundry security measures to this account which are not directly relevent to this problem I’m presenting. Suffice it to say - if you worked here and locked your account or forgot your network password, you’d be able to log on to your own machine using this account and unlock or reset your password - but other than that you’d only be able to log out again (to subsequently log on using your own credentials). The credentials/instructions to do this are displayed on the security screen after the CTRL+ALT+DEL, so if you’ve locked yourself out the solution will be right there for you. (Cool, eh?).
Anyways, the logon, the page, the process works a treat, but I have one minor problem.
If a user passes a bad password with this account 3 times, the account gets locked out - that’s the default domain policy and with all other accounts it’s a good thing. However, I want this account, and only this account, to never lock. Unfortunately, this particular bit of policy is a Computer-Defined Group Policy in AD, and since I want users to be able to log on anywhere using this account I can’t override the lock out policy on every machine (Catch-22). I was hoping I’d find a solution within the net user command (I used net user to allow a blank password on this account contrary to domain policy), or in ADSI Edit, but I haven’t found a solution. I thought perhaps this could be done through LDAP, but my searches have revealed nothing.
The best solution I can come up with, lacking a conventional solution, is to implement a script that runs constantly setting the badPwdCount (via ADSI Edit) back to ZERO. This is sloppy, though - I consider this only a bridge to a better solution.
[/GS]
A solution would be fantastic (will you do my homework for me, please 
), but I’d settle for a decent Windows Systems Administrator Forum (that’s not filled with little trolls asking how to hack their school network) if you can recommend one.
