Re: Policy enforcement- Admin accounts
- From: "Micheal Espinola Jr" <michealespinola@xxxxxxxxx>
- Date: Tue, 18 Dec 2007 14:00:53 -0500
You can, BUT (and this is a big but), password policies set on OU's
only apply to the local computer accounts that are effected - they do
*not* apply to domain accounts. Domain account passwords are only
effected by Domain-level GPO's.
On Dec 18, 2007 4:11 AM, mgk.mailing <mgk.mailing@xxxxxxxxxxxxxx> wrote:
Guys. Afaik you can set in effect password polices on an ou basis. The
polcies are setup via creation of a GPO and then applied to the OU.
Depending on how inheritance is setup afaik the default settings will
mean that the GPO closest to the active directory object (user /
computer) will take effect.
Mgk
Paul J. Brickett wrote:
Charles is correct in regards to the inability to set password
policies on an OU basis.
He is not correct in regards to the default domain Administrator
account not being able to be locked. Please consult the following MS
article, which describes how to configure the domain\administrator
account to lockout using ADSIedit:
http://support.microsoft.com/kb/885119
On Mon, 17 Dec 2007, Can DEGER wrote:
Charles Hardin is absolutely right, on this subject, you cant set
password policies with OUs.. :(
thats why, security professionals advising the administrators, to
disable the "admin" account (even rename it)
and then use another account with the "admin" privileges. after you
have yourself that kind of an account you can set the account lockout
policy for it..
unfotunately password policies are set domain wide.
As Charles Hardin mentioned below, moving your accounts to another
domain, should establish a trust between your domain and admin domain,
so that management would not be a problem...
On Dec 17, 2007 6:34 PM, Charles Hardin <fonestorm@xxxxxxxxx> wrote:
Sadly with AD you can only have one account security policy per
domain. You would need to make a second domain in your forest and move
your admin accounts there. Also remember the actual Administrator
account CANNOT be locked out.
On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale@xxxxxxxxx> wrote:
In an active directory environment (windows 2003), I want to ensure
lockout
for administrator accounts also, in order to protect against
attempts to
brute force account password. The flipside is, we might have a DoS
situation
but I can live with it. Is there a tool I can deploy to ensure that
admin
account also locks out after certain no. of attemps?
Also, ONLY for admin accounts, I want to enforce certain settings
like:
Password should contain atleast 15 characters, should not contain a
dictionary word etc.
My normal password policy for AD user accounts, set at the domain
level is a
minimum of 8 chars but I want to deploy this special policy of 15
chars
minimum for admin accounts.
How should I go about this?
--
ME2
- References:
- Re: Information Security
- From: Matthew Webster
- Policy enforcement- Admin accounts
- From: WALI
- Re: Policy enforcement- Admin accounts
- From: Charles Hardin
- Re: Policy enforcement- Admin accounts
- From: Can DEGER
- Re: Policy enforcement- Admin accounts
- From: Paul J. Brickett
- Re: Policy enforcement- Admin accounts
- From: mgk.mailing
- Re: Information Security
- Prev by Date: Re: Policy enforcement- Admin accounts
- Next by Date: Re: Policy enforcement- Admin accounts
- Previous by thread: Re: Policy enforcement- Admin accounts
- Next by thread: RE: Policy enforcement- Admin accounts
- Index(es):
Relevant Pages
|
