I am only seeing 'Unlock User' in the drop down, yet all my users are showing green under the 'Is Locked Out' column. Any suggestions?
Lock User
-
Matthew McBride A Delegated Administrator does not have permission to lock a user account, only to unlock which is why you see this link only. This link appears regardless of the account's status.
David Fisher
Software Engineer
SharePoint Solutions -
Matthew McBride Unfortunately I am seeing the same thing when I am logged in to the internal site as the site collection admin.
-
Matthew McBride Unfortunately the .NET membership provider doesn't support the unlock feature via the API. Therefore this feature does not exist for any user. An account can only be locked out by attempting to authenticate improperly. You can approve or deny access to a user, which will have the same effect as locking out a user (they won't be able to login). This feature is only available to Site Collection Administrators from the Manage Users in Authorization Store page.
Jeremy Luerkens
Manager, Software Production
SharePoint Solutions -
Matthew McBride Does denying a user trigger and email to the user? If so can that be turned off?
-
Matthew McBride Just to be clear they are two types of denial. First, if an invitation is sent out and you are using the approval feature, when the user is approved or denied by an approver an e-mail will be sent to the user containing the updated registration status. This is done by an approver via the approval e-mail request and the RegistrationApproval.aspx page.
Second, a Site Collection Administrator can also deny access to a user through the Manage Users in Authorization store page. This operation does not trigger any e-mail notifications.
Jeremy Luerkens
Manager, Software Production
SharePoint Solutions -
Matthew McBride Yes, I am talking about the second scenario. What is the Unlock feature that I see in the drop down for?
-
Matthew McBride If a user attempts to login with invalid credentials more times than allowed by the maxInvalidPasswordAttempts (count) and passwordAttemptWindow (minutes) attributes of the membership provider, the account will be locked out. The user will not be able to login to the site until their account is unlocked. This protects against attacks to guess an account password. The unlock menu item can be used by a Site Collection Administrator to unlock accounts that have been locked out.
Jeremy Luerkens
Manager, Software Production
SharePoint Solutions -
Matthew McBride Will the user's account automatically unlock after the set time of the passwordAttemptWindow attribute? It appears that when a user attempts too many invalid logins (10), the account is still locked out after 10 minutes. I'm assuming that passwordAttemptWindow="10" means 10 minutes.
-
Matthew McBride Once an account is locked out it must be unlocked by an administrator before it can be used again. Here is some verbiage taken from Microsoft's site which describes the passwordAttemptWindows and the maxInvalidPasswordAttempts attributes.
Password Attempt Windows Summary
"The PasswordAttemptWindow property works in conjunction with the MaxInvalidPasswordAttempts property to help guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. When a user attempts to log in with, change, or reset his or her password, only a certain number of consecutive attempts are allowed within a specified time window. The length of this time window is specified in the PasswordAttemptWindow property, which identifies the number of minutes allowed between invalid attempts.
If the number of consecutive failed attempts that a user makes to reset his or her password equals the value stored in the MaxInvalidPasswordAttempts property, and the time elapsed since the last invalid attempt is less than the number of minutes specified in the PasswordAttemptWindow property, then the membership user is locked out. The user is locked out by setting the IsLockedOut property to true until the user is unlocked by a call to the UnlockUser method.
If the interval between the current failed attempt and the last failed attempt is greater than the PasswordAttemptWindow property setting, the current invalid attempt is counted as the first. If a valid password answer is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password-answer attempts is set to 0 (zero). If a valid password is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password attempts and the count of invalid password-answer attempts are set to 0 (zero).
Invalid password and password-answer attempts accumulate independently of one another. For example, if the MaxInvalidPasswordAttempts is set to 5, and three invalid password attempts are made followed by two invalid password-answer attempts, two more invalid password attempts (or three more invalid password-answer attempts) must be made within PasswordAttemptWindow for the membership user to be locked out. "
(Referenced From)
http://msdn.microsoft.com/en-us/library/system.web.security.membership.passwordattemptwindow.aspx
9 Comments