Re: Account Lockout Policy
From: Thor (Hammer of God) (thor_at_hammerofgod.com)
Date: 10/21/05
- Previous message: Derick Anderson: "RE: security policy 'not specified' option"
- In reply to: Laura A. Robinson: "RE: Account Lockout Policy"
- Next in thread: RAMI KHANFER: "RE: Account Lockout Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <larobins@bellatlantic.net>, "'Bates, Chris'" <Chris.Bates@nwdc.net>, <focus-ms@securityfocus.com> Date: Fri, 21 Oct 2005 11:40:55 -0700
As well as "denied access" and even completely disabled!
t
----- Original Message -----
From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "'Bates, Chris'" <Chris.Bates@nwdc.net>; <focus-ms@securityfocus.com>
Sent: Thursday, October 20, 2005 3:15 PM
Subject: RE: Account Lockout Policy
> Actually, the local admin account can be locked out (at least post-2000).
> Test it out. :-)
>
> Laura
>
>> -----Original Message-----
>> From: Bates, Chris [mailto:Chris.Bates@nwdc.net]
>> Sent: Thursday, October 20, 2005 1:48 PM
>> To: focus-ms@securityfocus.com
>> Subject: FW: Account Lockout Policy
>>
>> You can change the local policy on the machine, or filter a
>> GPO to only apply to that machine.
>> But if they are using the hardcoded local admin, it can't be
>> locked out.
>> MS Safety feature I guess.
>>
>>
>> ----------------------------------------------------------------------
>> Chris Bates (CISSP)
>> Infrastructure Management Consultant
>> ACS Inc. (Enterprise Services; NWDC)
>> Chris.Bates@nwdc.net
>>
>>
>> -----Original Message-----
>> From: Derick Anderson [mailto:danderson@vikus.com]
>> Sent: Thursday, October 20, 2005 8:59 AM
>> To: Shabbar Arsiwala; focus-ms@securityfocus.com
>> Subject: RE: Account Lockout Policy
>>
>>
>>
>> > -----Original Message-----
>> > From: Shabbar Arsiwala [mailto:sarsiwala@obleness.org]
>> > Sent: Thursday, October 20, 2005 9:07 AM
>> > To: focus-ms@securityfocus.com
>> > Subject: Account Lockout Policy
>> >
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > We have an account lockout policy setup for users on our domain Win
>> > 2K3 / Active Directory environment. 4 invalid attempts the account
>> > locks out / 30 mins the account is released. We would like
>> to change
>> > this policy for one the machines on our domain. This machine uses a
>> > local administrator account to log in.
>> >
>> > Is this possible ???
>> >
>> > Thanks,
>> > Shabbar
>>
>> It is possible to change the *local* machine account lockout
>> policy for a specific machine, but not the *domain* lockout
>> policy. To do this you need to put your *domain* password
>> policy in the Domain Controllers OU, create a separate OU for
>> this one machine, make a new policy with the desired lockout
>> settings, and link it to the single machine's OU. This will
>> only work for *local* accounts (such as MACHINE\Administrator), not
>> *domain* accounts (DOMAIN\Administrator).
>>
>> Derick Anderson
>>
>> --------------------------------------------------------------
>> ----------
>> ---
>> --------------------------------------------------------------
>> ----------
>> ---
>>
>>
>>
>>
>> --------------------------------------------------------------
>> -------------
>> --------------------------------------------------------------
>> -------------
>>
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Derick Anderson: "RE: security policy 'not specified' option"
- In reply to: Laura A. Robinson: "RE: Account Lockout Policy"
- Next in thread: RAMI KHANFER: "RE: Account Lockout Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
