Re: Policy enforcement- Admin accounts

["Can DEGER" <can.deger () gmail com>]

Charles Hardin is absolutely right, on this subject, you cant set
password policies with OUs.. :(
thats why, security professionals advising the administrators, to
disable the "admin" account (even rename it)
and then use another account with the "admin" privileges. after you
have yourself that kind of an account you can set the account lockout
policy for it..
unfotunately password policies are set domain wide.

As Charles Hardin mentioned below, moving your accounts to another
domain, should establish a trust between your domain and admin domain,
so that management would not be a problem...




On Dec 17, 2007 6:34 PM, Charles Hardin <fonestorm () gmail com> wrote:
> Sadly with AD you can only have one account security policy per
> domain. You would need to make a second domain in your forest and move
> your admin accounts there. Also remember the actual Administrator
> account CANNOT be locked out.
>
>
>
>
> On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale () gmail com> wrote:
> > In an active directory environment (windows 2003), I want to ensure lockout
> > for administrator accounts also, in order to protect against attempts to
> > brute force account password. The flipside is, we might have a DoS situation
> > but I can live with it. Is there a tool I can deploy to ensure that admin
> > account also locks out after certain no. of attemps?
> >
> > Also, ONLY for admin accounts, I want to enforce certain settings like:
> > Password should contain atleast 15 characters, should not contain a
> > dictionary word etc.
> > My normal password policy for AD user accounts, set at the domain level is a
> > minimum of 8 chars but I want to deploy this special policy of 15 chars
> > minimum for admin accounts.
> >
> > How should I go about this?