Account Lockout Policy

[Clarence]

Since I'm unable to have different policies for Administrators and users
because the setting is domain-wide, what I'd like to do is deny the account
lockout on a group for our Service Accounts.

I tried to add the security group to the Default Domain Policy and checked
Deny on Apply Group Policy but it didn't work.

Is there another way to get this to work?
Has anyone successfully had multiple account policies on one child domain?

Thanks.

 

[John M]

there is no way to limit who gets the policy
here is some info...
Here are a few articles and whitepapers that will help you on your issue.



Windows 2000 Group policy Whitepaper



http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppol
wp.asp


Account Lockout Whitepaper


http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=8c8e
0d90-a13b-4977-a4fc-3e2b67e3748e



Troubleshooting Common Active Directory Setup Issues in Windows 2000


http://support.microsoft.com/?kbid=260371



The few white papers and tools

http://support.microsoft.com/default.aspx?scid=KB;EN-US;255550



http://support.microsoft.com/default.aspx?scid=KB;EN-US;259576



http://support.microsoft.com/default.aspx?scid=KB;EN-US;299656

 

[Joe Richards [MVP]]

No this won't work because the policy isn't applied to the user objects, it
is applied to the domain object itself and the domain handles it. Check out
the following attributes of the domain partition (domainDNS object).

lockOutObservationWindow
lockoutDuration
lockoutThreshold

 

[Derek Melber]

The way GPOs apply with regard to the Account Policies for domain users is
that ONLY the domain level GPOs modify the Account Policy settings on the
domain controllers. So, Joe is right in that it is "the domain" that is
affected, which the domain controllers control. The domain controllers DON'T
have a local SAM that someone can logon to (without going through the DSRM).

If there are multiple GPOs at the domain level, the last one in the list
(the top one) will take precendence for the Account Policy that affects the
domain controllers, and in essence all computers in the domain through
inheritance of the GPO settings from the domain level.

If there is a GPO settings at an OU level (not the domain controllers OU of
course), these Account Policies will ONLY affect the local SAM on the
computers, when the computer account resides in that OU.

 

[Antonio Lam]

Why don't you put the Administrators and Users into different groups
and apply the Account Lockout Policy to the Group? Why do you have to
apply the policy at the domain level?

Antonio

 

[Paul Adare]

microsoft.public.win2000.security news group, Antonio Lam

Why don't you put the Administrators and Users into different groups
and apply the Account Lockout Policy to the Group? Why do you have to
apply the policy at the domain level?

Because Group Policy is not applied to groups, and because Account
Lockout Policy (along with Password policy) applies to the entire
domain, and must therefore be set at the domain level. If you set these
policies at any other level, then they simply affect the local SAM
database of any workstations or member servers affected by the GPO that
contains these settings.

 

[Chriss3]

The Built-in Administrator account can't be Locked out.

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[Laura A. Robinson [MVP]]

circa Sun, 25 Jan 2004 14:13:43 +0100, in
microsoft.public.windows.server.security, Chriss3
([email protected]) said,

The Built-in Administrator account can't be Locked out.

Yes, it can. Google for "passprop.exe". In Windows Server 2003, it
can even be disabled.

Laura

 

[Chriss3]

Okay thank you Laura.

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[Guest]

If I'm reading this right, password policies cannot be changed at OU level. Does this mean that Sub-domains take their policies from higher level domains? What other policies does this affect? Is it everything under account policies

Also if anyone from Microsoft is out there, why is there nothing on this subject in ANY of your documentation?

 

[Clarence]

I can live with the account lockout being set to everyone but why is it when
the deny group policy is set on my Service Accounts, they are still effected
by the global policy?

Do I have to block inheritance in the OU where the service accounts exist as
well or is the deny on group enough?

 

[Clarence]

I can live with the account lockout being set to everyone but why is it when
the deny group policy is set on my Service Accounts, they are still effected
by the global policy?

Do I have to block inheritance in the OU where the service accounts exist as
well or is the deny on group enough?

 

[Clarence]

I can live with the account lockout being set to everyone but why is it when
the deny group policy is set on my Service Accounts, they are still effected
by the global policy?

Do I have to block inheritance in the OU where the service accounts exist as
well or is the deny on group enough?

 

[Paul Adare]

microsoft.public.win2000.security news group, Clarence <raven_2517
@hotmail.com> says...

I can live with the account lockout being set to everyone but why is it when
the deny group policy is set on my Service Accounts, they are still effected
by the global policy?

Because you're not understanding how Group Policy in general, and
account lockout policy (and password policy) specifically work.

Although account and password policy _affect_ user and computer
accounts, the GPO that contains the policy is _processed_ by computers
(which is why these policies exist in the Computer Configuration portion
of a GPO). Setting a deny ACE for a user or group account on a GPO that
contains account or password policy will accomplish exactly zero,
because user accounts do not process that section of a GPO in the first
place.

 

[Paul Adare]

microsoft.public.win2000.security news group, Paul Adare

Although account and password policy _affect_ user and computer
accounts, the GPO that contains the policy is _processed_ by computers
(which is why these policies exist in the Computer Configuration portion
of a GPO).

Sorry, small correction, should read "Although account and password
policy _affect_ user accounts..."

 

[Clarence]

So basically Win2k gives no advantage for domain-wide account settings over
NT4. As far as understanding group policy, I do, I'm simply asking for a way
to circumvent the design...but apparently no seems to have my scenario of
even attempted without using a 3rd party application.

 

[Paul Adare]

microsoft.public.win2000.security news group, Clarence <raven_2517
@hotmail.com> says...

I can live with the account lockout being set to everyone but why is it when
the deny group policy is set on my Service Accounts, they are still effected
by the global policy?

Do I have to block inheritance in the OU where the service accounts exist as
well or is the deny on group enough?

I've already answered this question for you Clarence.

 

[Joe Richards [MVP]]

You can't do it with 3rd party either. These are domain wide settings that
affect ALL user accounts. A service account is a still a user account. Your
only choice is to have another domain that does not have a lockout policy.

--
www.joeware.net

So basically Win2k gives no advantage for domain-wide account settings over
NT4. As far as understanding group policy, I do, I'm simply asking for a way
to circumvent the design...but apparently no seems to have my scenario of
even attempted without using a 3rd party application.

 

[Joe Richards [MVP]]

Domains have their own policies. They do not inherit policy from parent
domains.

--
www.joeware.net

If I'm reading this right, password policies cannot be changed at OU

level. Does this mean that Sub-domains take their policies from higher
level domains? What other policies does this affect? Is it everything
under account policies?

Also if anyone from Microsoft is out there, why is there nothing on this

subject in ANY of your documentation?

 

[Ulf B. Simon-Weidner [MVP]]

=?Utf-8?B?UGF0cmljayBS?= says...

If I'm reading this right, password policies cannot be changed at OU level.
Does this mean that Sub-domains take their policies from higher level domains?
What other policies does this affect? Is it everything under account policies?

Password Policies are set in the GPO underneath Computer Configuration and
therefore do not apply to domain user accounts but to local user accounts. The
Password Policies for domain user accounts have to be set in the default domain
policy. And yes, that behavior applies to all Subkeys of Account Policies.

Also if anyone from Microsoft is out there, why is there nothing on this subject in
ANY of your documentation?

I'm not MS, but this is mentioned in _a lot of_ documentation. Every guide
about how to design your domain structure mentiones that if different password
settings are required you need to put those users in a different domain.

It's even mentioned in MOC-Courses, Self Study Kits, the Resource Kit and I've
seen this questions in a couple MCP-Tests.

And out of "Designing Active Directory":
"Another reason to create more than one domain is to support multiple domain
policies. Domain policy is different from a normal Group Policy in several
ways. Windows 2000 domain policy affects every user in the same domain. In a
single Windows 2000 domain you have no way, for example, of giving one group of
users a Minimum Password Age setting that is different from another. If you
need to support several different domain policies, you have no option but to
create multiple domains."
http://www.microsoft.com/technet/prodtechnol/ad/windows2000/plan/activedi.asp


Gruesse - Sincerely,

Ulf B. Simon-Weidner