LockoutThreshold

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a domain with the LockoutThreshold set to 3. I want a User Group called "Testers" to have an unrestricted LockoutThreshold. I've created a Organization Unit called "Low Security." "Testers" is a member of "Low Security." I've set the "Low Security" LockoutThreshold to "Not defined" and made sure the "Block policies inheritence" box is checked. The domain Group Policy does not have "Policy Override" selected. I still get locked out after 3 bad attempts if I log on as a user in the "Testers" group. How can I seperate the "Testers" LockoutThreshold for the rest of the domain?
 
sgadim said:
I have a domain with the LockoutThreshold set to 3. I want a User Group
Click to expand...
called "Testers" to have an unrestricted LockoutThreshold. I've created a
Organization Unit called "Low Security." "Testers" is a member of "Low
Security." I've set the "Low Security" LockoutThreshold to "Not defined" and
made sure the "Block policies inheritence" box is checked. The domain Group
Policy does not have "Policy Override" selected. I still get locked out
after 3 bad attempts if I log on as a user in the "Testers" group. How can
I seperate the "Testers" LockoutThreshold for the rest of the domain?

Security Account Policies (i.e., Lockout, Password, and Kerberos)
are DOMAIN wide.

There is no way to distinguis these items by user, group, OU,
or Site.

You may only distinguish this if you make a separate domain for
those users.
 
sgadim said:
Can I have 2 domains on one computer or do I need another computer and
Click to expand...
domain controller?

A DC can only host one domain (today and for the intermediate
future at least).

DCs servicing one domain is unlike DNS servers which can host multiple
zones.

Different account security policies are among the very few
"technical" reasons for having multiple domains -- as
opposed to design etc. reasons.
 
You can if you use something like Virtual PC or Virtual Server or VMWARE.

BTW, a lockout count of 3 is extremely low and will most likely cause more
support issues than help your security. Keep in mind the lockout policy is to
slow down hacking attempts on an account. The better the passwords and the more
often you change them the more bad passwords you can allow prior to lockout.
i.e. If you use a password with 6 characters up and lower case and numbers and
special characters and you force a password change every 70-91 or so days you
can be pretty confident a lockout policy of 15 bads with a reset time of 15
minutes should be suffiently secure as you could usually only get 60 bad
attempts an hour or 1440 per day which is not going to be very useful cracking
the above described password.

joe
 
Joe Richards said:
You can if you use something like Virtual PC or Virtual Server or VMWARE.

BTW, a lockout count of 3 is extremely low and will most likely cause more
support issues than help your security. Keep in mind the lockout policy is
Click to expand...
to

That's just another way of saying if you have a DIFFERENT
DOMAIN, or if you have the users login to machine specific
account with different settings.

Whether you use a VPC or a physical box, it requires a separate
accounts database (domain or machine.)
 
Back
Top