Re: Account Lockout Duration catch 22?

From: Colin Nash [MVP] (cnash-REMOVETHIS-_at_mvps.org)
Date: 05/04/04


Date: Mon, 3 May 2004 22:18:17 -0400

Yep I believe that the built-in administrator will always be able to log in
at the console of a DC. I'm not sure if network access to it gets blocked
when the account is 'locked' (now I'm curious... can anyone confirm? :))

<Ben M. Schorr>; "MVP-OneNote" <bens@bogusaddress.mvp> wrote in message
news:c27e6df4769a4c2ab1eaed7bf397f907@ghytred.com...
> On 03 May 2004 12:56, "CG" wrote:
> >If I set Account Lockout Duration to 0 requiring an admin to unlock
IDsâ?¦.
> > What happens if all the admin accounts get locked? A malicious user,
> >password-guessing worm, or even an admin running a security scanner
> >that checks password of all the IDs in the domain, could do the trick.
> >Am I correct in thinking that if this happens in a root domain it would
> >be time to start over and completely rebuild?
>
> If I recall correctly the main administrator account can't be locked out.
> Yes, you can check the box, but it doesn?Tt actually do anything.
> --
> -Ben-
> Ben M. Schorr, MVP-OneNote
> OneNote FAQ: http://home.hawaii.rr.com/schorr/Computers/OneNoteFAQ.htm
> SchorrTech Blog: http://www.thespoke.net/MyBlog/bschorr/MyBlog.aspx
>
>