Home page logo

basics logo Security Basics mailing list archives

Re: Policy enforcement- Admin accounts
From: "Charles Hardin" <fonestorm () gmail com>
Date: Mon, 17 Dec 2007 11:34:40 -0500

Sadly with AD you can only have one account security policy per
domain. You would need to make a second domain in your forest and move
your admin accounts there. Also remember the actual Administrator
account CANNOT be locked out.

On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale () gmail com> wrote:
In an active directory environment (windows 2003), I want to ensure lockout
for administrator accounts also, in order to protect against attempts to
brute force account password. The flipside is, we might have a DoS situation
but I can live with it. Is there a tool I can deploy to ensure that admin
account also locks out after certain no. of attemps?

Also, ONLY for admin accounts, I want to enforce certain settings like:
Password should contain atleast 15 characters, should not contain a
dictionary word etc.
My normal password policy for AD user accounts, set at the domain level is a
minimum of 8 chars but I want to deploy this special policy of 15 chars
minimum for admin accounts.

How should I go about this?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]