Home page logo

basics logo Security Basics mailing list archives

RE: Policy enforcement- Admin accounts
From: "Ricky Kerby" <Rkerby () fbtonline com>
Date: Mon, 17 Dec 2007 11:38:16 -0600

Create a new OU and put your admin accounts in it then remove the link
for the Domain policy from the root. Then create a new GPO with the
desired account settings and apply it to the OU with your admin

Ricky E. Kerby
Network Engineer/Data Security Officer
First Bank and Trust
Office: (504)-584-5943
Mobile: (504)-220-1631
Fax: (504)-620-1401
rkerby () fbtonline com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Charles Hardin
Sent: Monday, December 17, 2007 10:35 AM
Cc: security-basics () securityfocus com
Subject: Re: Policy enforcement- Admin accounts

Sadly with AD you can only have one account security policy per domain.
You would need to make a second domain in your forest and move your
admin accounts there. Also remember the actual Administrator account
CANNOT be locked out.

On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale () gmail com> wrote:
In an active directory environment (windows 2003), I want to ensure 
lockout for administrator accounts also, in order to protect against 
attempts to brute force account password. The flipside is, we might 
have a DoS situation but I can live with it. Is there a tool I can 
deploy to ensure that admin account also locks out after certain no.
of attemps?

Also, ONLY for admin accounts, I want to enforce certain settings
Password should contain atleast 15 characters, should not contain a 
dictionary word etc.
My normal password policy for AD user accounts, set at the domain 
level is a minimum of 8 chars but I want to deploy this special policy

of 15 chars minimum for admin accounts.

How should I go about this?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]