Information Technology Reference
In-Depth Information
•
Logon Hours
—Clicking this button opens a dialog box (see Figure 5-7) where administra-
tors can restrict days and hours that users can log on to the domain. By default, all days
and all hours are permitted. To exclude hours, click the Logon Denied option button and
select the boxes for the hours you want to exclude; each box represents one hour. You can
drag over the hour boxes to select several days or hours at a time. In Figure 5-7, logging
on is denied to Sales Person1 every day from 12:00 a.m. to 3:00 a.m. The default behavior
of this feature denies new attempts to log on during logon denied hours but doesn't affect
a user who's already logged on. However, you can set a group policy to force a user to be
disconnected when logon hours expire.
Figure 5-7
Setting logon hours
•
Log On To
—Click this button to specify by computer name which computers the user
account can use to log on to the domain. By default, a user can use all computers in the
domain.
•
Unlock account
—If this check box is selected, the user has too many failed logon
attempts. In this case, the account is locked out and the user can't log on. Clearing the
check box unlocks the account.
•
Account options
—Five of these options were described previously. Most account options
pertain to the user's password and Kerberos authentication properties, but a few warrant
more explanation:
• Store password using reversible encryption: Allows applications to access an account's
stored password for authentication purposes. Enabling this option poses a consider-
able security risk and should be used only when no other authentication method is
available.
• Smart card is required for interactive logon: Requires a smart card for the user to log on
to a domain member. When this option is enabled, the user's password is set to a
random value and never expires.
• Account is sensitive and cannot be delegated: Used to prevent a service from using an
account's authentication credentials to access a network resource or another service. This
option increases security and is most often set on Administrator accounts.
•
Account expires
—An administrator uses this option to set a date after which the account
can no longer log on.
Search WWH ::
Custom Search