Home page logo

basics logo Security Basics mailing list archives

Re: Policy enforcement- Admin accounts
From: "Paul J. Brickett" <swarzkopf () legolas sinnerz us>
Date: Mon, 17 Dec 2007 13:17:07 -0500 (EST)

Also remember the actual Administrator
account CANNOT be locked out.

Absolutely NOT true. I really wish this myth would die.

In a Server 2003 functional level domain you can configure the domain\Administrator account to lockout via configuring the correct options in ADSIedit.

In earlier functional levels you can use the "passprop.exe" utility from the MS resource kit to configure the domain\Administrator account to comply
with your domain lockout policy. Passprop works with Server 2K3 as well.

On Mon, 17 Dec 2007, Charles Hardin wrote:

Sadly with AD you can only have one account security policy per
domain. You would need to make a second domain in your forest and move
your admin accounts there. Also remember the actual Administrator
account CANNOT be locked out.

On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale () gmail com> wrote:
In an active directory environment (windows 2003), I want to ensure lockout
for administrator accounts also, in order to protect against attempts to
brute force account password. The flipside is, we might have a DoS situation
but I can live with it. Is there a tool I can deploy to ensure that admin
account also locks out after certain no. of attemps?

Also, ONLY for admin accounts, I want to enforce certain settings like:
Password should contain atleast 15 characters, should not contain a
dictionary word etc.
My normal password policy for AD user accounts, set at the domain level is a
minimum of 8 chars but I want to deploy this special policy of 15 chars
minimum for admin accounts.

How should I go about this?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]