RE: Policy enforcement- Admin accounts

Hello,

Are you talking about the local SAM default admin account on all the server boxes? Look into the PASSPROP.exe tool (part of the Server 2000 Resource Kit tools). When run with the /ADMINLOCKOUT switch, you'll make the default admin account subject to lockout policies as well...

You could also look into just disabling the default admin accounts via GPO. Some recommend this approach, as it's more secure. And if need be, you can still use the local admin account when booted in safe mode, as the GPO won't disable it then...

If you are referring to actual domain accounts with delegated admin permissions, then the Account & Password Policies set at the domain level will apply to them as well. Unfortunately, since the 'Password Policy' & 'Account Policy' sections of a GPO can only be applied at the domain level, you'll have to have a separate domain to have two different policies... You could set up an empty root domain that houses all your administrator accounts, you can think of it as your management domain, and then your existing domain that houses all your users will be a child domain. Then, you can administer different Password policies...

-Jesse


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of WALI
Sent: Saturday, December 15, 2007 5:33 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Policy enforcement- Admin accounts

In an active directory environment (windows 2003), I want to ensure lockout for administrator accounts also, in order to protect against attempts to brute force account password. The flipside is, we might have a DoS situation but I can live with it. Is there a tool I can deploy to ensure that admin account also locks out after certain no. of attemps?

Also, ONLY for admin accounts, I want to enforce certain settings like:
Password should contain atleast 15 characters, should not contain a dictionary word etc.
My normal password policy for AD user accounts, set at the domain level is a minimum of 8 chars but I want to deploy this special policy of 15 chars minimum for admin accounts.

How should I go about this?

Relevant Pages

  • RE: Policy enforcement- Admin accounts
    ... GPO on an OU, so you can set a different password policy. ... Subject: Policy enforcement- Admin accounts ...
    (Security-Basics)
  • RE: TS User Lockdown
    ... Enable loopback policy processing in the GPO with the Replace Option. ... "Domain Users" plus the Terminal Server Computer accounts, ... Apply Policy to your admin accounts or groups. ...
    (microsoft.public.windows.terminal_services)
  • Re: GPO Help
    ... grab the security stuff from the domain policy only. ... I may be way off the mark here, and perhaps the policy for disabling ... The password that he/she is using does not meet the complexity standard. ... This must be set at the domain level, that> is, this GPO must be linked to the domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group policy issue - settings being applied even after removal...
    ... configured to "Disabled" then if I want the policy to be removed? ... I then changed the GPO so that the "remove My ... disabling them is not resetting everything.. ... >> affecting only users logged onto those machines. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Windows 2003 Password Policy
    ... a new user object, I put the password in but the system says that it ... I can't seem to get rid of the policy. ... I even tried disabling the entire policy altogether, ... but it seems that tweaking the GPO ...
    (microsoft.public.win2000.security)