Re: Keeping service accounts from locking

---

• From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
• Date: Sun, 22 Oct 2006 01:15:05 -0400

---

Special hardcoded functionality.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Scott Shoemaker wrote:

OK,
That is pretty much what I thought, but I appreciate the confirmation from Steve and yourself. So, how is it that the Administrator account is not subject to this policy?

-Scott

"Joe Richards [MVP]" wrote:

No you cannot set accounts to not lock. You either have the locking policy or you don't. Some places will create an additional domain for service accounts. A better solution is to use network service or local service instead of userids or as Steve suggests get away from using lockouts at all or change your use of them.

If you must have lockouts, consider switching to a short lockout duration so that a lockout on the account doesn't completely black out the service. This is an attack vector as indicated by Steve.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Scott Shoemaker wrote:

Hi,
We have a domain policy which dictates that locked accounts stay locked until they are unlocked. Last week, a domain account that is used to run a service got locked and brought an application down. So, is there any way to specifiy on an individual account that it should not be locked? As a follow on question, how is this accomplished on the Administrator account?

Thanks,
Scott

.

---

• References:
  • Re: Keeping service accounts from locking
    • From: Joe Richards [MVP]

• Prev by Date: IPSec Tunnel mode
• Next by Date: Re: IPSec Tunnel mode
• Previous by thread: Re: Keeping service accounts from locking
• Next by thread: Domain Local Security vs Global Security vs Universal Security Groups
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Field greyed out when account ops try to unlock account ... Joe Richards Microsoft MVP Windows Server Directory Services ... Richard Alexander wrote: ... After i read up on delegation, I removed them from the account operators group and created a new group called xxx-accops and then delegated permissions on the OUs. ... (microsoft.public.windows.server.active_directory) Re: Field greyed out when account ops try to unlock account ... Joe Richards Microsoft MVP Windows Server Directory Services ... Richard Alexander wrote: ... After i read up on delegation, I removed them from the account ... (microsoft.public.windows.server.active_directory) Re: Field greyed out when account ops try to unlock account ... did as you suggested and looked up the adminsdholder at google. ... Originally i had the help deskers in the account operators group, ... Joe Richards Microsoft MVP Windows Server Directory Services ... (microsoft.public.windows.server.active_directory) Re: Field greyed out when account ops try to unlock account ... I ran the following command to try and restore inherit permissions at the ou ... Joe Richards Microsoft MVP Windows Server Directory Services ... Tried on several different account with same result. ... (microsoft.public.windows.server.active_directory) Re: Field greyed out when account ops try to unlock account ... Joe Richards Microsoft MVP Windows Server Directory Services ... Tried on several different account with same result. ... (microsoft.public.windows.server.active_directory)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2006-10