ActiveSync devices causing accounts to lockout

active-directory group-policy exchange activesync microsoft-ftmg-2010

Solution 1:

Normally what we tell users is to put the device in "flight" or "airplane" mode, cutting off network access when they are ready to change password, once they change the password on Desktop/Laptop, then they can enter the new password in device and connect back to network.

Of course we also send the expiry notification so that they are well prepared for the password expiry.

Solution 2:

TMG SP2 has now the Account Lockout Feature to prevent this issue. See: Here, here and here.

Solution 3:

I've been challenged by this question as well. As a serious option I'm considering certificate based ActiveSync authentication. Together with the EAS policy to demand a password code for unlocking the mobile device this should count as two-factor authentication (something you have: certificate on your mobile device, something you know: password code for your mobile device). This way there is no issue when the password expires. Hope this helps. http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync.aspx

Related

Why is Windows Task Scheduler trying to launch multiple instances?
What does shadow /V actually do?
haproxy: retain existing sessions under high load, serve '503' to new arrivals
Administrator view ALL mapped drives
Office365 SPF record has too many lookups
RabbitMQ - How I do configure servers for zero-downtime upgrades?
Why is my web server dropping connections with a TCP reset at high load?
google cloud http(s) load balancer returning 502 despite healthy backend service
Gitlab CI - Deploy via SSH to remote server
Geographically distributed, fault-tolerant and "intelligent" application/host monitoring systems
Access control: Windows vs Linux
Does anyone use check_mk for Nagios? Anything I should be aware of before considering it?