locked
Unlock account using security Q&A using AD .net membership provider? RRS feed

  • Question

  • User1863298402 posted

    I have a .net web app that uses AD to manager the users, I got the security question and answer working to reset the password (followed this article: http://msdn.microsoft.com/en-us/library/ms998360.aspx)

    The problem: Currently AD's Lockout-Threshold is set to 0 so the user can try to login as many times they want. If I set the Lockout-Threshold to 5 attempts and the account is locked then the security question and answer don't work, cannot reset the password if AD locks the account.

    Is there way to lock the account after 5 attempts but allow the user to go though the password Q&A process?

    Thanks,

    Tarek

    Tuesday, June 4, 2013 9:29 AM

Answers

  • User1508394307 posted

    I think, your sysadmin can configure AD with an account unlock policy on the domain and set specific time for which a user account is locked out after he entered too many bad passwords. So, account will be automatically unlocked and user could either enter the password again or try to reset it with security questions. Another way I see is to try membership provider's UnlockUser() method, that can unlock an account from the code. So, you can check if account is locked out (for example, using LastLockoutDate property) and then call UnlockUser.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, June 9, 2013 10:50 AM

All replies

  • User1508394307 posted

    I think, your sysadmin can configure AD with an account unlock policy on the domain and set specific time for which a user account is locked out after he entered too many bad passwords. So, account will be automatically unlocked and user could either enter the password again or try to reset it with security questions. Another way I see is to try membership provider's UnlockUser() method, that can unlock an account from the code. So, you can check if account is locked out (for example, using LastLockoutDate property) and then call UnlockUser.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, June 9, 2013 10:50 AM
  • User1863298402 posted

    I knew about the UnlockUser method but was looking for something on the AD side where I don't have to keep track of the failed logins in the db.  Thanks.

    Thursday, June 13, 2013 9:44 AM