RE: Account Lockout Policy
From: Mike MacNeill (mmacneil_at_crosscountry.com)
Date: 10/21/05
- Previous message: Alexander Suhovey: "RE: Account Lockout Policy"
- Maybe in reply to: Shabbar Arsiwala: "Account Lockout Policy"
- Next in thread: Laura A. Robinson: "RE: Account Lockout Policy"
- Reply: Laura A. Robinson: "RE: Account Lockout Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Oct 2005 14:28:54 -0400 To: <focus-ms@securityfocus.com>
IMHO I think MS screwed the implementation of these policies in the first place. We have a global policy where accounts are locked after 5 failed attempts. The issue with this is there are accounts that I would love to exclude from this policy. Accounts such as the ones used by our Voicemail System, Mobile Messaging Services and other applications have been locked out and as a result, services have been impacted. The way MS has the policies, they are applied at a machine level so I can specify machines that don't have this policy applied to but this defeats the purpose. Has anyone figured a way around this at all?
Mike
RAMI KHANFER wrote:
>You can not configure account policy on OU; the only place where you can
>configure account policy is at the domain level.
>
>Best Regards
>Rami Khanfer
>
>MobileCom - IT Direction/ Infrastructure Department
>Mobile + 962 777 801539
>Email Rami.Khanfer@mobilecom.jo
>
>-----Original Message-----
>From: Derick Anderson [mailto:danderson@vikus.com]
>Sent: Thursday/October/2005 05:59 PM
>To: Shabbar Arsiwala; focus-ms@securityfocus.com
>Subject: RE: Account Lockout Policy
>
>
>
>
>
>>-----Original Message-----
>>From: Shabbar Arsiwala [mailto:sarsiwala@obleness.org]
>>Sent: Thursday, October 20, 2005 9:07 AM
>>To: focus-ms@securityfocus.com
>>Subject: Account Lockout Policy
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>We have an account lockout policy setup for users on our
>>domain Win 2K3 / Active Directory environment. 4 invalid
>>attempts the account locks out / 30 mins the account is
>>released. We would like to change this policy for one the
>>machines on our domain. This machine uses a local
>>administrator account to log in.
>>
>>Is this possible ???
>>
>>Thanks,
>>Shabbar
>>
>>
>
>It is possible to change the *local* machine account lockout policy for
>a specific machine, but not the *domain* lockout policy. To do this you
>need to put your *domain* password policy in the Domain Controllers OU,
>create a separate OU for this one machine, make a new policy with the
>desired lockout settings, and link it to the single machine's OU. This
>will only work for *local* accounts (such as MACHINE\Administrator), not
>*domain* accounts (DOMAIN\Administrator).
>
>Derick Anderson
>
>------------------------------------------------------------------------
>---
>------------------------------------------------------------------------
>---
>
>
>
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
>
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Alexander Suhovey: "RE: Account Lockout Policy"
- Maybe in reply to: Shabbar Arsiwala: "Account Lockout Policy"
- Next in thread: Laura A. Robinson: "RE: Account Lockout Policy"
- Reply: Laura A. Robinson: "RE: Account Lockout Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
