FW: Account Lockout Policy

From: Bates, Chris (Chris.Bates_at_nwdc.net)
Date: 10/20/05

  • Next message: RAMI KHANFER: "RE: Account Lockout Policy" 
    Date: Thu, 20 Oct 2005 10:48:25 -0700
To: focus-ms@securityfocus.com

    You can change the local policy on the machine, or filter a GPO to only
    apply to that machine.
    But if they are using the hardcoded local admin, it can't be locked out.
    MS Safety feature I guess.

    ----------------------------------------------------------------------
    Chris Bates (CISSP)
    Infrastructure Management Consultant
    ACS Inc. (Enterprise Services; NWDC)
    Chris.Bates@nwdc.net

    -----Original Message-----
    From: Derick Anderson [mailto:danderson@vikus.com]
    Sent: Thursday, October 20, 2005 8:59 AM
    To: Shabbar Arsiwala; focus-ms@securityfocus.com
    Subject: RE: Account Lockout Policy

     

    > -----Original Message-----
    > From: Shabbar Arsiwala [mailto:sarsiwala@obleness.org]
    > Sent: Thursday, October 20, 2005 9:07 AM
    > To: focus-ms@securityfocus.com
    > Subject: Account Lockout Policy
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > We have an account lockout policy setup for users on our domain Win
    > 2K3 / Active Directory environment. 4 invalid attempts the account
    > locks out / 30 mins the account is released. We would like to change
    > this policy for one the machines on our domain. This machine uses a
    > local administrator account to log in.
    >
    > Is this possible ???
    >
    > Thanks,
    > Shabbar

    It is possible to change the *local* machine account lockout policy for
    a specific machine, but not the *domain* lockout policy. To do this you
    need to put your *domain* password policy in the Domain Controllers OU,
    create a separate OU for this one machine, make a new policy with the
    desired lockout settings, and link it to the single machine's OU. This
    will only work for *local* accounts (such as MACHINE\Administrator), not
    *domain* accounts (DOMAIN\Administrator).

    Derick Anderson

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: RAMI KHANFER: "RE: Account Lockout Policy"

    Relevant Pages

    • Re: Exchange OWA 2003 Trusted Root Certificate
      ... understanding that I can "filter" a particular GPO from the Domain Level to ... statement on Chapter 4 - How Group Policy Works in the Windows 2000 Server ... > not filter computer configuration policy be user but you could for specific ...
      (microsoft.public.win2000.security)
    • Re: GPO w/ Security Filter creates WMI disaster
      ... membership, either with another policy or a script, to "undo" the policy. ... Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub: ... I created a simple GPO that only does one thing - performs a "Member of" ... I filter this GPO based on Computer name and used a couple of workstations ...
      (microsoft.public.windows.group_policy)
    • Re: Filter group policy
      ... Here's an article on how to filter a GPO: ... I would like to apply a GPO to all users - say at the domain level. ... Then, I would like to exclude a small group of users, by putting them in a group, and filtering on that group so that "Apply Policy" is unchecked. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Restrict Anonymous
      ... If you set it to "1" in the Domain Controller Security Policy, ... > One of the side effects is that when a user's password expires they receive ...
      (microsoft.public.win2000.security)
    • Re: Account Lockout Policy
      ... Subject: Account Lockout Policy ... >> You can change the local policy on the machine, or filter a ...
      (Focus-Microsoft)