RE: Policy enforcement- Admin accounts

["Ricky Kerby" <Rkerby () fbtonline com>]

Create a new OU and put your admin accounts in it then remove the link
for the Domain policy from the root. Then create a new GPO with the
desired account settings and apply it to the OU with your admin
accounts. 

Ricky E. Kerby
Network Engineer/Data Security Officer
First Bank and Trust
Office: (504)-584-5943
Mobile: (504)-220-1631
Fax: (504)-620-1401
rkerby () fbtonline com
 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Charles Hardin
Sent: Monday, December 17, 2007 10:35 AM
To: WALI
Cc: security-basics () securityfocus com
Subject: Re: Policy enforcement- Admin accounts

Sadly with AD you can only have one account security policy per domain.
You would need to make a second domain in your forest and move your
admin accounts there. Also remember the actual Administrator account
CANNOT be locked out.

On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale () gmail com> wrote:
> In an active directory environment (windows 2003), I want to ensure 
> lockout for administrator accounts also, in order to protect against 
> attempts to brute force account password. The flipside is, we might 
> have a DoS situation but I can live with it. Is there a tool I can 
> deploy to ensure that admin account also locks out after certain no.
of attemps?
> Also, ONLY for admin accounts, I want to enforce certain settings
like:
> Password should contain atleast 15 characters, should not contain a 
> dictionary word etc.
> My normal password policy for AD user accounts, set at the domain 
> level is a minimum of 8 chars but I want to deploy this special policy

> of 15 chars minimum for admin accounts.
>
> How should I go about this?