Share via


How to Configure the Number of Logon Failures Before a Mailbox is Locked Out

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic explains how to use the Exchange Management Console and the Exchange Management Shell to configure the number of logon failures that are allowed before an Outlook Voice Access user is locked out of their Microsoft Exchange Server 2007 mailbox. The number of logon failures to be allowed before a mailbox is locked out is configured on a UM mailbox policy and applies to all UM-enabled users who are associated with the UM mailbox policy.

When Outlook Voice Access users dial in to a subscriber access number, they are prompted to enter their PIN so that the Unified Messaging system can authenticate them. After they have been authenticated, they can access the voice mail, e-mail, calendaring, and personal contact information in their Microsoft Exchange Server 2007 mailbox from any telephone.

Several PIN-related settings can be configured on a UM mailbox policy. The Maximum Logon Attempts setting specifies how many sequential PIN entry errors subscribers can make before they are locked out of their mailbox. The range for the number of logon failures before their mailbox is locked out is 1 through 999. By default, the PIN is automatically reset after five sequential failed logon attempts. When the PIN is automatically reset, a new PIN is sent in an e-mail message to the user. By default, a user's PIN will be reset after 5 consecutive logon attempts and will be reset again after 5 more attempts. However, after the user has tried to log on 15 consecutive times and failed, they will be locked out of their mailbox. The Maximum Logon Attempts setting must be set to a number larger than the Number of incorrect PIN entries before PIN is automatically reset setting.

Note

To increase security, decrease the maximum number of failed attempts. However, remember that if you decrease it to a number much lower than the default, users may be locked out unnecessarily. Unified Messaging will generate warning events that you can view by using Event Viewer if PIN authentication fails for a UM-enabled user or if the user is unsuccessful in attempting to log on to the system.

Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Organization Administrators role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Also, before you perform these procedures, confirm the following:

  • A UM dial plan has been created.

  • A UM mailbox policy has been created.

Procedure

To use the Exchange Management Console to configure the number of logon failures before a mailbox is locked out

  1. In the console tree of the Exchange Management Console, expand the Organization Configuration node, and then click the Unified Messaging node.

  2. On the UM Mailbox Policies tab, select the UM mailbox policy that you want to manage, and then click Properties in the action pane.

  3. On the UM mailbox policy Properties page, click the PIN Policies tab.

  4. On the PIN Policies tab, under Failed Logons, next to Number of incorrect PIN entries before UM mailbox is locked out, enter a value between 1 and 998.

  5. Click OK to save your changes.

To use the Exchange Management Shell to configure the number of logon failures before a mailbox is locked out

  • Run the following command:

    Set-UMMailboxPolicy -Identity UMMailboxPolicy -MaxLogonAttempts 20
    

For more information about syntax and parameters, see Set-UMMailboxPolicy.

For More Information

For more information about Unified Messaging PINs, see the following topics: