Re: Service Accounts & Account Lock out Policy

You cannot. The lockout policy is domain wide and there is no way to specify exemptions.

Also I would say that 5 bads is extremely low and will likely be counterproductive and cause you more issues than it is worth. The idea behind lockouts is to prevent automated systems from brute force hacking a password via sending tens hundreds or thousands of passwords a minute. If you set the policy as low as 25 with a five minute lockout reset this should be more than adequate to prevent brute force attacks and not completely piss off your users when they fat finger.

In every case I have seen low values for lockout counts implemented I have seen false positive lockouts increase considerably. When you get into the silly levels of 3-5 bads your false positives can reach up into the 30-50% range. There are programs (and OS revisions) out there that will cause 3 bad authentications for every logon attempt as different security providers are used.

Another item... You should try to avoid using the same service ID for multiple machines/services. This is one of the primary causes of service ID lockouts because when the IDs are changed then if you don't do it properly, you have multiple machines all trying to use the old bad one. If you absolutely MUST use the same ID for normal use, then you can try to stagger the password changes by using ServiceID1, ServiceID2, etc and then when you initially setup you set the password to ServiceID1 and configue the services. Then when you need to change the password you set the new password on ServiceID2 and then change the services to use that ID and the password it should be using.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Feras Mustafa wrote:
Hi,
I want to enable an account lock-out policy to restrict up to 5 bad logons. I don't want to this policy to apply to the Service accounts used by the applications as it will lock-out the service account and will stop it. Is there is any way to accomplish this??

Note: the Policy I am trying to use is the Default Domain policy as I want the same policy to be applied to all users across the domain.

.

Relevant Pages

  • Re: OU group policy and how to use ldapsearch to find GPO settings
    ... To find the default domain policy settings, ... If I configure the account lockout policy in the default domain policy, ...
    (microsoft.public.windows.group_policy)
  • Re: TimeOut Script for OWA
    ... Lowering the account lockout to 10 means that any future attempt to logon will be rejected, even if the correct pass phrase is offered. ... > GPO Exceptions: Enforce and Block Inheritence ... > My knowledge of Group Policy is limited, but I believe the "Enforced"> flag ...
    (microsoft.public.windows.server.sbs)
  • Re: Account Lockout Policy
    ... the deny group policy is set on my Service Accounts, ... Do I have to block inheritance in the OU where the service accounts exist as ... >> Account Lockout Whitepaper ...
    (microsoft.public.windows.server.security)
  • Re: Account Lockout Policy
    ... the deny group policy is set on my Service Accounts, ... Do I have to block inheritance in the OU where the service accounts exist as ... >> Account Lockout Whitepaper ...
    (microsoft.public.windows.server.security)
  • Re: Account Lockout Policy
    ... the deny group policy is set on my Service Accounts, ... Do I have to block inheritance in the OU where the service accounts exist as ... >> Account Lockout Whitepaper ...
    (microsoft.public.windows.server.security)
Loading