Security Basics mailing list archives
Re: Policy enforcement- Admin accounts
From: "mgk.mailing" <mgk.mailing () googlemail com>
Date: Tue, 18 Dec 2007 17:37:58 +0000
Ok well i have done some further reading, there seems to be some solid evidence backing what your all saying, the most obvious being that the password policy are computer based rather user base. I'm guessing from what i have read that although you can do what i specify below they wont actually be implemented in the real world.
Thanks for the input although a more verbose reason as to why would probably have helped. (if there is one)
mgk. mgk.mailing wrote:
Ok I dont understand then. I have just setup a default policy of a password length of 7 as a test and applied it to the gpo on the root of the domain. Then in my test user group created a new gpo with a a different password length and as long as i block policy inheritance on the OU It does what i am talking about by allowing a stronger password policy for the OU. I can see why you wouldn't want to block policy inheritance for alot of users but for one ou of admin users i don't see the problem. this is on a w2k3 domain btw although i seem to remember doing it on 2k but could be wrong.Cheers mgk Charles Hardin wrote:The domain level policy for account security will superceed ALL ou settings.On Dec 18, 2007 4:11 AM, mgk.mailing <mgk.mailing () googlemail com> wrote:Guys. Afaik you can set in effect password polices on an ou basis. Thepolcies are setup via creation of a GPO and then applied to the OU. Depending on how inheritance is setup afaik the default settings will mean that the GPO closest to the active directory object (user / computer) will take effect. Mgk Paul J. Brickett wrote:Charles is correct in regards to the inability to set password policies on an OU basis. He is not correct in regards to the default domain Administrator account not being able to be locked. Please consult the following MS article, which describes how to configure the domain\administrator account to lockout using ADSIedit: http://support.microsoft.com/kb/885119 On Mon, 17 Dec 2007, Can DEGER wrote:Charles Hardin is absolutely right, on this subject, you cant set password policies with OUs.. :( thats why, security professionals advising the administrators, to disable the "admin" account (even rename it) and then use another account with the "admin" privileges. after you have yourself that kind of an account you can set the account lockout policy for it.. unfotunately password policies are set domain wide. As Charles Hardin mentioned below, moving your accounts to anotherdomain, should establish a trust between your domain and admin domain,so that management would not be a problem... On Dec 17, 2007 6:34 PM, Charles Hardin <fonestorm () gmail com> wrote:Sadly with AD you can only have one account security policy perdomain. You would need to make a second domain in your forest and moveyour admin accounts there. Also remember the actual Administrator account CANNOT be locked out. On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale () gmail com> wrote:In an active directory environment (windows 2003), I want to ensure lockout for administrator accounts also, in order to protect against attempts to brute force account password. The flipside is, we might have a DoS situation but I can live with it. Is there a tool I can deploy to ensure that admin account also locks out after certain no. of attemps? Also, ONLY for admin accounts, I want to enforce certain settings like: Password should contain atleast 15 characters, should not contain a dictionary word etc. My normal password policy for AD user accounts, set at the domain level is a minimum of 8 chars but I want to deploy this special policy of 15 chars minimum for admin accounts. How should I go about this?
Current thread:
- RE: Policy enforcement- Admin accounts, (continued)
- RE: Policy enforcement- Admin accounts Ricky Kerby (Dec 17)
- Re: Policy enforcement- Admin accounts Paul J. Brickett (Dec 17)
- Message not available
- Re: Policy enforcement- Admin accounts Can DEGER (Dec 17)
- Re: Policy enforcement- Admin accounts Paul J. Brickett (Dec 17)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts Raoul Armfield (Dec 18)
- Re: Policy enforcement- Admin accounts MaddHatter (Dec 18)
- Re: Policy enforcement- Admin accounts Micheal Espinola Jr (Dec 18)
- Re: Policy enforcement- Admin accounts Charles Hardin (Dec 18)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts Micheal Espinola Jr (Dec 18)
- RE: Policy enforcement- Admin accounts Can Deger (Dec 18)
- RE: Policy enforcement- Admin accounts Jesse Eaton (Dec 18)
- RE: Policy enforcement- Admin accounts Scalcione.David (Dec 17)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 17)
- Discussing Microsoft Forefront security attempt WALI (Dec 24)
- RE: Policy enforcement- Admin accounts Jesse Eaton (Dec 17)