Re: Policy enforcement- Admin accounts

WALI wrote:
In an active directory environment (windows 2003), I want to ensure lockout for administrator accounts also, in order to protect against attempts to brute force account password. The flipside is, we might have a DoS situation but I can live with it. Is there a tool I can deploy to ensure that admin account also locks out after certain no. of attemps?

Also, ONLY for admin accounts, I want to enforce certain settings like: Password should contain atleast 15 characters, should not contain a dictionary word etc.
My normal password policy for AD user accounts, set at the domain level is a minimum of 8 chars but I want to deploy this special policy of 15 chars minimum for admin accounts.

How should I go about this?

sounds like you want to create to group policy objects. one a standard for the domain and one for the administrators. Personally I'd do this by putting the administrative users in an OU called admin for instance and creating a personalised GPO and apply it to that OU. Then create a standard one and apply that to the domain

I'm not sure if it will restrict the use of including words within the passphrase however iirc it will restrict them from using part of their username etc.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx

has more details.

I would suggest testing the strength of account passwords yourself. I used to run a password cracker at my old workplace, got some choice passwords and to be honest if you go to a user and show them how easy it is to guess "asdfgh" etc they often respond.

hope that helps.

mgk

Relevant Pages

  • RE: Policy enforcement- Admin accounts
    ... GPO on an OU, so you can set a different password policy. ... Subject: Policy enforcement- Admin accounts ...
    (Security-Basics)
  • Re: How to resrict administrative access
    ... How about using Group Policy with these options. ... Deny logon through Terminal Services etc... ... In this policy you could give either user accounts or computer accounts -- ... in your scenario it would be e.g. Administrator accounts. ...
    (microsoft.public.security)
  • Re: ADMINISTRATOR vs Administrator User
    ... when run on an administrator account. ... As to getting past the limitations imposed by WindowsXP ... There are very few - very very few - modern applications that require ... user accounts. ...
    (microsoft.public.windowsxp.general)
  • Re: Administrator restricted - Control Panel Missing
    ... If you did not specifically set up Group Policy to restrict access to ... The command net users will display user accounts and net user username will ... type of administrator. ... the control panel was missing. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: password expiration policy for admin and system accounts ?
    ... > scheduled tasks that use various administrative accounts. ... > administrative account which starts several key exchange services. ... > Thus every time the exchange server was rebooted several exchange services ... >> JJ wrote:>>> Our auditors are objecting to our having Domain Administrator and domain>>> system accounts with passwords that never expire. ...
    (microsoft.public.security)