Re: Policy enforcement- Admin accounts

["Micheal Espinola Jr" <michealespinola () gmail com>]

Please read my previous response.  OU GPO password policies only apply
to LOCAL computer accounts - they do not effect DOMAIN account
password policy settings.

Sounds crazy, but its true.


On Dec 18, 2007 11:38 AM, Charles Hardin <fonestorm () gmail com> wrote:
> The domain level policy for account security will superceed ALL ou settings.
>
>
> On Dec 18, 2007 4:11 AM, mgk.mailing <mgk.mailing () googlemail com> wrote:
> > Guys.  Afaik you can set in effect password polices on an ou basis.  The
> > polcies are setup via creation of a GPO and then applied to the OU.
> > Depending on how inheritance is setup afaik the default settings will
> > mean that the GPO closest to the active directory object (user /
> > computer) will take effect.
> >
> > Mgk
> >
> >
> >
> > Paul J. Brickett wrote:
> > > Charles is correct in regards to the inability to set password
> > > policies on an OU basis.
> > >
> > > He is not correct in regards to the default domain Administrator
> > > account not being able to be locked. Please consult the following MS
> > > article, which describes how to configure the domain\administrator
> > > account to lockout using ADSIedit:
> > > http://support.microsoft.com/kb/885119
> > >
> > >
> > > On Mon, 17 Dec 2007, Can DEGER wrote:
> > >
> > > > Charles Hardin is absolutely right, on this subject, you cant set
> > > > password policies with OUs.. :(
> > > > thats why, security professionals advising the administrators, to
> > > > disable the "admin" account (even rename it)
> > > > and then use another account with the "admin" privileges. after you
> > > > have yourself that kind of an account you can set the account lockout
> > > > policy for it..
> > > > unfotunately password policies are set domain wide.
> > > >
> > > > As Charles Hardin mentioned below, moving your accounts to another
> > > > domain, should establish a trust between your domain and admin domain,
> > > > so that management would not be a problem...
> > > >
> > > >
> > > >
> > > >
> > > > On Dec 17, 2007 6:34 PM, Charles Hardin <fonestorm () gmail com> wrote:
> > > > > Sadly with AD you can only have one account security policy per
> > > > > domain. You would need to make a second domain in your forest and move
> > > > > your admin accounts there. Also remember the actual Administrator
> > > > > account CANNOT be locked out.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale () gmail com> wrote:
> > > > > > In an active directory environment (windows 2003), I want to ensure
> > > > > > lockout
> > > > > > for administrator accounts also, in order to protect against
> > > > > > attempts to
> > > > > > brute force account password. The flipside is, we might have a DoS
> > > > > > situation
> > > > > > but I can live with it. Is there a tool I can deploy to ensure that
> > > > > > admin
> > > > > > account also locks out after certain no. of attemps?
> > > > > >
> > > > > > Also, ONLY for admin accounts, I want to enforce certain settings
> > > > > > like:
> > > > > > Password should contain atleast 15 characters, should not contain a
> > > > > > dictionary word etc.
> > > > > > My normal password policy for AD user accounts, set at the domain
> > > > > > level is a
> > > > > > minimum of 8 chars but I want to deploy this special policy of 15
> > > > > > chars
> > > > > > minimum for admin accounts.
> > > > > >
> > > > > > How should I go about this?



-- 
ME2