Security Basics: Re: Policy enforcement- Admin accounts

[Raoul Armfield <armfield () amnh org>]

mgk, you are mistaking.  Password policies are, as has been repeatedly 
stated in this thread, only possible on a domain wide basis.
Raoul

mgk.mailing wrote, On 12/18/2007 4:11 AM:
> Guys.  Afaik you can set in effect password polices on an ou basis.  The 
> polcies are setup via creation of a GPO and then applied to the OU.  
> Depending on how inheritance is setup afaik the default settings will 
> mean that the GPO closest to the active directory object (user / 
> computer) will take effect.
> Mgk
>
>
> Paul J. Brickett wrote:
> > Charles is correct in regards to the inability to set password 
> > policies on an OU basis.
> > He is not correct in regards to the default domain Administrator 
> > account not being able to be locked. Please consult the following MS 
> > article, which describes how to configure the domain\administrator 
> > account to lockout using ADSIedit:
> > http://support.microsoft.com/kb/885119
> >
> >
> > On Mon, 17 Dec 2007, Can DEGER wrote:
> >
> > > Charles Hardin is absolutely right, on this subject, you cant set
> > > password policies with OUs.. :(
> > > thats why, security professionals advising the administrators, to
> > > disable the "admin" account (even rename it)
> > > and then use another account with the "admin" privileges. after you
> > > have yourself that kind of an account you can set the account lockout
> > > policy for it..
> > > unfotunately password policies are set domain wide.
> > >
> > > As Charles Hardin mentioned below, moving your accounts to another
> > > domain, should establish a trust between your domain and admin domain,
> > > so that management would not be a problem...
> > >
> > >
> > >
> > >
> > > On Dec 17, 2007 6:34 PM, Charles Hardin <fonestorm () gmail com> wrote:
> > > > Sadly with AD you can only have one account security policy per
> > > > domain. You would need to make a second domain in your forest and move
> > > > your admin accounts there. Also remember the actual Administrator
> > > > account CANNOT be locked out.
> > > >
> > > >
> > > >
> > > >
> > > > On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale () gmail com> wrote:
> > > > > In an active directory environment (windows 2003), I want to ensure 
> > > > > lockout
> > > > > for administrator accounts also, in order to protect against 
> > > > > attempts to
> > > > > brute force account password. The flipside is, we might have a DoS 
> > > > > situation
> > > > > but I can live with it. Is there a tool I can deploy to ensure that 
> > > > > admin
> > > > > account also locks out after certain no. of attemps?
> > > > >
> > > > > Also, ONLY for admin accounts, I want to enforce certain settings 
> > > > > like:
> > > > > Password should contain atleast 15 characters, should not contain a
> > > > > dictionary word etc.
> > > > > My normal password policy for AD user accounts, set at the domain 
> > > > > level is a
> > > > > minimum of 8 chars but I want to deploy this special policy of 15 
> > > > > chars
> > > > > minimum for admin accounts.
> > > > >
> > > > > How should I go about this?
--
Raoul Armfield
rarmfield at amnh dot org