mailing list archives
RE: Policy enforcement- Admin accounts
From: "Ricky Kerby" <Rkerby () fbtonline com>
Date: Mon, 17 Dec 2007 11:38:16 -0600
Create a new OU and put your admin accounts in it then remove the link
for the Domain policy from the root. Then create a new GPO with the
desired account settings and apply it to the OU with your admin
Ricky E. Kerby
Network Engineer/Data Security Officer
First Bank and Trust
rkerby () fbtonline com
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Charles Hardin
Sent: Monday, December 17, 2007 10:35 AM
Cc: security-basics () securityfocus com
Subject: Re: Policy enforcement- Admin accounts
Sadly with AD you can only have one account security policy per domain.
You would need to make a second domain in your forest and move your
admin accounts there. Also remember the actual Administrator account
CANNOT be locked out.
On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale () gmail com> wrote:
In an active directory environment (windows 2003), I want to ensure
lockout for administrator accounts also, in order to protect against
attempts to brute force account password. The flipside is, we might
have a DoS situation but I can live with it. Is there a tool I can
deploy to ensure that admin account also locks out after certain no.
Also, ONLY for admin accounts, I want to enforce certain settings
Password should contain atleast 15 characters, should not contain a
dictionary word etc.
My normal password policy for AD user accounts, set at the domain
level is a minimum of 8 chars but I want to deploy this special policy
of 15 chars minimum for admin accounts.
How should I go about this?