Re: GPO Question

From: Brian Desmond [MVP] (desmondb_at_payton.cps.k12.il.us)
Date: 10/10/03

  • Next message: Karl A Mikesell: "How to replace Root CA?" 
    Date: Thu, 9 Oct 2003 19:45:38 -0500

    Account Lockout and Password policy is domainwide - you cannot define it on
    an OU level. 

    -- 
-- 
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us
http://www.briandesmond.com
"Impu" <impu007@yahoo.com> wrote in message
news:uGBAeOpjDHA.424@TK2MSFTNGP10.phx.gbl...
> I have a OU called App and under App, I have various app OUs.  For
example,
> I have a Sales OU that contains all the sales computers, and Consultant OU
> that contains all the Consultant workstations and so on.   Basically all
> computer, workstations and servers belongs to their designated app OUs
under
> central APP OU.
>
> -DOMAIN-ROOT
>        |______APP
>                |________SALES
>                           |____________SWK123
>                           |____________SWK456
>                |________CONSULTANT
>                           |____________CWK123
>                           |____________CWK456
>
> From root domain, I have also account OUs, for example
>
> -DOMAIN-ROOT
>          |____ACCOUNTS
>                        |____________DomainUsers
>                        |____________ServiceAccounts
>                        |____________Customers
>
> Everybody belongs to DomainUsers OU (except Service Accounts and
Customers).
> I mean, Sales, Consultants and others.    Now, I want to apply different
> type of GPO per category.  I like to separate them in 3 categories on how
> GPO will be applied...
>
> -Domain Users
> -Service Accounts
> -Customers
>
> :DomainUsers GPO
> =3 strikes and Lockout
> =9 character pass
> =high secure pass
> =expire every 30 days
>
> :ServiceAccount GPO
> =No Lockout
> =5 chr pass
> =Do not expire
>
> :Customers
> =5 strikes and lockout
> =8 char pass
> =high secure pass
> =blah blah blah :)
>
>
> This is a W2K3 AD environment.    I am using GPMC and running into an
> issue....   Since all computers are under APP OU, I am not quite sure how
I
> can allow Service Accounts to have no lockout option, while enforce
lockout
> option for Domain Users and Customers?
>
>
>
>
>
>
  • Next message: Karl A Mikesell: "How to replace Root CA?"

    Relevant Pages

    • Re: Account lockouts
      ... Was thinking the same thing about an app trying to ... John. ... >> assigned it to lockout after three failed attempts. ... >> appreciated so I can stop unlocking accounts all day.... ...
      (microsoft.public.win2000.security)
    • Re: Welcome Logon Screen locks out accounts
      ... consider a lockout count of 15-25 tries. ... > 30 minutes your accounts will not lock out. ... >> I am using the Welcome logon screen on my XP Pro system. ... >> password before the account is locked out using security policies. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: [Full-disclosure] Secure OWA
      ... Running an active event log monitor (Symantec's ITA comes to mind as a ... quick example) will catch both the brute forcer and/or the lockouts ... accounts, and your OWA page is available from anywhere on the Internet, ... But a temporary lockout period would deter brute-force ...
      (Full-Disclosure)
    • Re: User Accounts Loccked After Accessing FTP Site
      ... The security policy for lockout is 3 failed login attempts. ... configuation settings for this particular ftp site (I am relatively new at ... passwords and user accounts to be sent in clear text. ... > What is the account lockout policy for domain users? ...
      (microsoft.public.inetserver.iis.security)
    • Re: Lockout of all acounts
      ... > accounts, including Administrator, have been locked out. ... > have a single domain controller and cannot get console access. ... is the lockout from repeated failed ...
      (microsoft.public.win2000.general)