User account security in domain environment

[Guest]

Hi everyone

I've got a questions, I hope that someone could provide an answer.

Q:
A service runs under a domain user account.
The user account gets locked, but the service is still running.
The service performs file access to various files on the network on a
variety on Windows based servers with NTFS permissions.

Will the service (which is still running) be denied access to files after
some time due to the account lockout status ?

Thanks

 

[Steven L Umbach]

If the service is connected to remote computers at the time the account is
locked out it can stay connected for a period of time. The time will depend
on how much time is left in the session ticket I believe. The service will
not be able to make "new" connections to remote computers because
authentication will fail. Account lockout may not be a good idea in your
case if you use domain accounts for services. If you enforce complex
passwords in your domain with a password length of say eight characters,
have a properly configured firewall, and a good policy to prevent malware
[email scanning etc.] , account lockout may be of less value for you and a
possible DOS situation. --- Steve