RE: Policy enforcement- Admin accounts

Many people have replied to the original post, stating to set an additional
GPO on an OU, so you can set a different password policy.

I agree, yes can go ahead and create a GPO, assign Password Policies in it,
and link it to your OU - but, the password policies will NOT take affect...

I repeat, the Password Policy portion of a GPO can only be applied at the
domain level... This could be in the 'Default Domain Policy' or in a new GPO
applied to the domain, but it only applies at the domain level.

That is why I, and several others, suggested the only viable option is to
create an additional management domain in the forest. It can be an empty
root with just your admin accounts. THEN, you can apply different password
policies to the admin users the management domain...

-Jesse


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Can Deger
Sent: Tuesday, December 18, 2007 8:15 AM
To: 'Paul J. Brickett'
Cc: security-basics@xxxxxxxxxxxxxxxxx;
security-basics-return-46896@xxxxxxxxxxxxxxxxx
Subject: RE: Policy enforcement- Admin accounts

Wow thanks, I didn't know that. I remember that we could use passprop, but
didn't try to use it on the
2k3 domain...

Thanks for the update :)


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Paul J. Brickett
Sent: 17 Aralık 2007 Pazartesi 21:55
To: Can DEGER
Cc: security-basics@xxxxxxxxxxxxxxxxx;
security-basics-return-46896@xxxxxxxxxxxxxxxxx
Subject: Re: Policy enforcement- Admin accounts

Charles is correct in regards to the inability to set password policies on
an OU basis.

He is not correct in regards to the default domain Administrator account not
being able to be locked. Please consult the following MS article, which
describes how to configure the domain\administrator account to lockout using
ADSIedit:
http://support.microsoft.com/kb/885119


On Mon, 17 Dec 2007, Can DEGER wrote:

Charles Hardin is absolutely right, on this subject, you cant set
password policies with OUs.. :( thats why, security professionals
advising the administrators, to disable the "admin" account (even
rename it) and then use another account with the "admin" privileges.
after you have yourself that kind of an account you can set the
account lockout policy for it..
unfotunately password policies are set domain wide.

As Charles Hardin mentioned below, moving your accounts to another
domain, should establish a trust between your domain and admin domain,
so that management would not be a problem...




On Dec 17, 2007 6:34 PM, Charles Hardin <fonestorm@xxxxxxxxx> wrote:
Sadly with AD you can only have one account security policy per
domain. You would need to make a second domain in your forest and
move your admin accounts there. Also remember the actual
Administrator account CANNOT be locked out.




On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale@xxxxxxxxx> wrote:
In an active directory environment (windows 2003), I want to ensure
lockout
for administrator accounts also, in order to protect against
attempts to brute force account password. The flipside is, we might
have a DoS
situation
but I can live with it. Is there a tool I can deploy to ensure that
admin
account also locks out after certain no. of attemps?

Also, ONLY for admin accounts, I want to enforce certain settings like:
Password should contain atleast 15 characters, should not contain a
dictionary word etc.
My normal password policy for AD user accounts, set at the domain
level
is a
minimum of 8 chars but I want to deploy this special policy of 15
chars minimum for admin accounts.

How should I go about this?





Relevant Pages

  • RE: Group Policy: multiple password policies in the same domain?
    ... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ...
    (Focus-Microsoft)
  • Re: Strong Passwords
    ... You can always tell which part of a GPO must be enabled by ... I'll setup a new Policy at the domain level. ... > "Roger Abell" wrote: ... >> impact only on the machine local accounts of machines in the OU. ...
    (microsoft.public.security)
  • Re: Exclude from GPO ..
    ... I only put in the user accounts that should not have the ... Users" group is assigned with Read and Apply Group Policy ... ... I then created a new GPO with the settings I ... need to password protect a screen saver to go off at 15 minutes. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Advise to password policy
    ... The policy that governs password aging is applied all or none to all ... Another thing one can do is to use a staged expiration. ... I had a total 200 over user accounts with most of them over the 90 days ... Perhaps using the AD user account "password never expire" field or GPO ...
    (microsoft.public.security)
  • Re: Default Domain Policy Question
    ... > Domain controllers read password policy from the domain ... Account policies when GPO is linked to the DC OU. ... > There can only be one policy per domain for domain accounts. ...
    (microsoft.public.windows.group_policy)