RE: Account Lockout Policy

From: RAMI KHANFER (RAMI.KHANFER_at_mobilecom.jo)
Date: 10/20/05

  • Next message: matthew patton: "security policy 'not specified' option"
    Date: Thu, 20 Oct 2005 19:48:31 +0200
    To: "Derick Anderson" <danderson@vikus.com>, "Shabbar Arsiwala" <sarsiwala@obleness.org>, <focus-ms@securityfocus.com>
    
    

    You can not configure account policy on OU; the only place where you can
    configure account policy is at the domain level.

    Best Regards
    Rami Khanfer
     
    MobileCom - IT Direction/ Infrastructure Department
    Mobile + 962 777 801539
    Email Rami.Khanfer@mobilecom.jo

    -----Original Message-----
    From: Derick Anderson [mailto:danderson@vikus.com]
    Sent: Thursday/October/2005 05:59 PM
    To: Shabbar Arsiwala; focus-ms@securityfocus.com
    Subject: RE: Account Lockout Policy

     

    > -----Original Message-----
    > From: Shabbar Arsiwala [mailto:sarsiwala@obleness.org]
    > Sent: Thursday, October 20, 2005 9:07 AM
    > To: focus-ms@securityfocus.com
    > Subject: Account Lockout Policy
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > We have an account lockout policy setup for users on our
    > domain Win 2K3 / Active Directory environment. 4 invalid
    > attempts the account locks out / 30 mins the account is
    > released. We would like to change this policy for one the
    > machines on our domain. This machine uses a local
    > administrator account to log in.
    >
    > Is this possible ???
    >
    > Thanks,
    > Shabbar

    It is possible to change the *local* machine account lockout policy for
    a specific machine, but not the *domain* lockout policy. To do this you
    need to put your *domain* password policy in the Domain Controllers OU,
    create a separate OU for this one machine, make a new policy with the
    desired lockout settings, and link it to the single machine's OU. This
    will only work for *local* accounts (such as MACHINE\Administrator), not
    *domain* accounts (DOMAIN\Administrator).

    Derick Anderson

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: matthew patton: "security policy 'not specified' option"

    Relevant Pages

    • Re: GPO causing client security logs to fill?
      ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ...
      (microsoft.public.windows.server.sbs)
    • Re: The local policy of this system does not permit you to logon i
      ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ...
      (microsoft.public.windows.server.sbs)
    • Re: GPO causing client security logs to fill?
      ... Unlink the Default Domain Controller Policy (As it was not previously ... settings to be applied on your client workstations. ... I modified the account ... So basically, the Account lockout threshold, account lockout ...
      (microsoft.public.windows.server.sbs)
    • Re: GPO causing client security logs to fill?
      ... Possibly delete the Default Domoan Controller Policy (As it did not ... issues as it was about recoverying from a virus which appears to ... with client logon failures. ... I modified the account ...
      (microsoft.public.windows.server.sbs)
    • Re: Password expires for no apparent reason
      ... policy that has set the values to what you see below meaning that users ... So I would define the password age and configure a value in there. ... As Harj said Account lockouts could potentially be a problem as perhaps ... Password expires for no apparent reason ...
      (microsoft.public.windows.server.active_directory)