How can we configure WSS 3 to disallow user authentication from select OUs?
https://sharepoint.stackexchange.com//questions/59438
-
10-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm working with a web admin who has recently improved our WSS 3 deployment such that selected user OUs (e.g. service accounts, domain admins) in our Active Directory forest are explicitly unauthorized for access to anything in it.
However, that still leaves user accounts in those OUs open to a lockout attack because WSS still attempts to authenticate the user before it discovers that it will not be authorized.
How can we configure this deployment to specify certain OUs as unable to authenticate, such that attempting to auth as a user in that OU will behave the same as if you'd attempted to authenticate as a user that wasn't in the forest at all?
Solution
Firstly, you cannot stop lockout attacks. Remember that if you have a user's username, you can do a lockout attach from any machine by just trying to log on multiple times with the same password.
That being said, what you want to do here is to create a domain group which contains all the users you want to allow access for and only add that group to the sharepoint site visitors group. Other users when browsing to the site will just get a access denied error message.
