Automatic Changes to the Locksmith Account

If the locksmith account exists when you start the security server in locksmith mode, the security server checks certain account and registry policy information and makes the changes shown in the following tables. These changes ensure that, even if account or registry policy was tampered with, you will now be able to log into the locksmith account. For example, if an intruder changes the Account Lifespan registry policy to 1 minute, the locksmith account will never be valid long enough to be used. Therefore, if the security server finds that the Account Lifespan registry policy is set to less than what is required for the locksmith account to be valid for at least 1 hour, it changes the Account Lifespan policy to be the time difference between the creation time of the locksmith account and the time 1 hour from the current time.

Locksmith Account Changes Made by the Security Server

If the security server finds the... It changes the....

Password-Valid Flag is set to no Password-Valid Flag to yes

Account Expiration Date is set to less than the current time plus 1 hour Account Expiration Date to the current time plus 1 hour

Client Flag is set to no Client Flag to yes

Account-Valid Flag is set to no Account-Valid Flag to yes

Good Since Date is set to greater than the current time Good Since Date to the current time

Password Expiration Date is set to less than the current time plus 1 hour Password Expiration Date to the current time plus 1 hour

Registry Policy Changes Made by the Security Server

If the security server finds the... It changes the....

Account Lifespan is set to less than the difference between the locksmith account creation date and the current time plus 1 hour Account Lifespan to the current time plus 1 hour minus the locksmith account creation date

Password Expiration Date is set to greater than the time the password was last changed but less than the current time plus 1 hour Password Expiration Date to the current time plus 1 hour