Question on GPO- Urgent

[Guest]

Hi,
I have set up gpos and we are on win2k. A few days back I have set up a new
gpo only for account lockout and there are some mission critical service
accounts, I have added them to a security group and on the new policy I have
denied the policy for the security groups, but it did not help me, the
service accounts are getting locked out. Is there anyway to exclude service
accounts?
Also there are a couple of develpoment servers, which are member servers and
there are some local accounts on these servers which are being used by the
developers and those accounts are also getting locked out. I have moved these
servers to a new OU and filtered out the lockout policy on the new OU. Is
there a solution for this also.
Any suggestions or pointers are higly appreciated

 

[Myweb]

Hello Abhi,

You have to set this policy at the domain level. On OU level it will only
work if the machine is disconnected from the domain. It is like the password
policy, you can use it in a domain only from domain level. In Longhorn server
MS will change it, that you can also set this kind of policy on OU level.

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Guest]

Thanks a lot for the response, I apreciate it.
The GPO ( account lockout) is aplied via domain only. My concern is that the
service accounts are getting locked out even after denying the permission (
GPO --> security --> added the security group which contains all of the
service accounts--> selected the right apply group policy and set it to deny)
Logged in to one machine using the service account, but it is getting locked
out and the gpresult shows that the same policy is not applied with a reason
access denied.
Remember I have two domain policies, one is for managing passwords and the
second one is for account lockout. So is there anyway to prevent locking out
of the service accounts.

 

[Myweb]

Hello Abhi,

By default a service account is only used for a specila service, NOT for
logging on to the system. The reason for using service accounts is special
software that must have additional rights, for example. So if you specify
a service account dont change the password of it, or be sure to find all
locations where this account is used and set also theire the new password.
Then a service account shouldn't lock out.

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Guest]

Yes that is right. But in our organization there are some specific accounts
which has domain admin previlages and they are used for some scheduled
backups, ftp etc etc. People tend to put wrong credentials which lead to the
account lockout. So I was looking for a way to exclude these accounts from
getting locked out.

Regards,
Abhi

 

[Guest]

Abhi,

To clarify what Myweb was saying. You can't GPO filter on those security
settings. Even when you explicitly exclude groups, the permission is set for
the whole domain in an all or nothing way.

It seem, though, that you are treating the symptom not the cause of the
problem. It seems that one of two things is happening:

You have poor code control -- the developers in the dev environment are
changing things in one place and not across the board. This would beg for
them to do their jobs correctly.

The wrong people have access to the service accounts -- If people are
entering the wrong information for the service accounts, this means that they
really aren't service accounts. Service accounts are used by services and
should only be manually entered when they are set up or changed. If they are
used all the time, like an admin account that a backup admin uses daily (not
a best practice), then it is an admin account and it should get locked out
when it is entered incorrectly.

If you really want to make it so these accounts are always availible, the
only way I can think of is an ADSI script. You could either schedule it to
run every x minutes to make sure that they are unlocked, or you could create
a web application (with its own service account <G>) that unlocks them at the
request of an _authenticated_ user. The scripting wouldn't be terribly hard
at all.

I hope this helps!

 

[Joe Richards [MVP]]

As was said before, account lockout for domain accounts is a domain wide
policy, there is no way to block it. It is either on or off for the
entire domain. The policy is applied to domain controllers which is then
used to write a value to the NC Head object of the domain which is then
read by the domain controllers and used for processing the lockouts.

As was also mentioned, this is changed in Longhorn with Fine Grained
Password Policy. It allows you to set up different policies for specific
users or groups of users (not OUs as was mentioned). This is handled
completely outside of the GPO environment.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Ace Fekay [MVP]]

In

Yes that is right. But in our organization there are some specific
accounts which has domain admin previlages and they are used for some
scheduled backups, ftp etc etc. People tend to put wrong credentials
which lead to the account lockout. So I was looking for a way to
exclude these accounts from getting locked out.

Regards,
Abhi

My suggestion is to create a separate child domain and let the devs do what
they want with it.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain

 

[Guest]

Thanks a lot for those who respond. It is highly appreciated.

 

[Ace Fekay [MVP]]

In

Thanks a lot for those who respond. It is highly appreciated.

You are welcome.

By the way, what did you decide on this issue?

Ace

 

[Guest]

Not yet decided and someone has mentioned some scripting, but I don't know
how to make it ready

Regards,
Abhi

 

[Ace Fekay [MVP]]

In

Not yet decided and someone has mentioned some scripting, but I don't
know how to make it ready

Regards,
Abhi

Scripting won't help with excluding users from the domain's password policy.
You will need to setup a separate domain with a different password policy
for those folks.

Ace