You can change the local policy on the machine, or filter a GPO to only
apply to that machine.
But if they are using the hardcoded local admin, it can't be locked out.
MS Safety feature I guess.
----------------------------------------------------------------------
Chris Bates (CISSP)
Infrastructure Management Consultant
ACS Inc. (Enterprise Services; NWDC)
Chris.Bates (at) nwdc (dot) net [email concealed]
-----Original Message-----
From: Derick Anderson [mailto:danderson (at) vikus (dot) com [email concealed]]
Sent: Thursday, October 20, 2005 8:59 AM
To: Shabbar Arsiwala; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Account Lockout Policy
> -----Original Message-----
> From: Shabbar Arsiwala [mailto:sarsiwala (at) obleness (dot) org [email concealed]]
> Sent: Thursday, October 20, 2005 9:07 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Account Lockout Policy
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We have an account lockout policy setup for users on our domain Win
> 2K3 / Active Directory environment. 4 invalid attempts the account
> locks out / 30 mins the account is released. We would like to change
> this policy for one the machines on our domain. This machine uses a
> local administrator account to log in.
>
> Is this possible ???
>
> Thanks,
> Shabbar
It is possible to change the *local* machine account lockout policy for
a specific machine, but not the *domain* lockout policy. To do this you
need to put your *domain* password policy in the Domain Controllers OU,
create a separate OU for this one machine, make a new policy with the
desired lockout settings, and link it to the single machine's OU. This
will only work for *local* accounts (such as MACHINE\Administrator), not
*domain* accounts (DOMAIN\Administrator).
apply to that machine.
But if they are using the hardcoded local admin, it can't be locked out.
MS Safety feature I guess.
----------------------------------------------------------------------
Chris Bates (CISSP)
Infrastructure Management Consultant
ACS Inc. (Enterprise Services; NWDC)
Chris.Bates (at) nwdc (dot) net [email concealed]
-----Original Message-----
From: Derick Anderson [mailto:danderson (at) vikus (dot) com [email concealed]]
Sent: Thursday, October 20, 2005 8:59 AM
To: Shabbar Arsiwala; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Account Lockout Policy
> -----Original Message-----
> From: Shabbar Arsiwala [mailto:sarsiwala (at) obleness (dot) org [email concealed]]
> Sent: Thursday, October 20, 2005 9:07 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Account Lockout Policy
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We have an account lockout policy setup for users on our domain Win
> 2K3 / Active Directory environment. 4 invalid attempts the account
> locks out / 30 mins the account is released. We would like to change
> this policy for one the machines on our domain. This machine uses a
> local administrator account to log in.
>
> Is this possible ???
>
> Thanks,
> Shabbar
It is possible to change the *local* machine account lockout policy for
a specific machine, but not the *domain* lockout policy. To do this you
need to put your *domain* password policy in the Domain Controllers OU,
create a separate OU for this one machine, make a new policy with the
desired lockout settings, and link it to the single machine's OU. This
will only work for *local* accounts (such as MACHINE\Administrator), not
*domain* accounts (DOMAIN\Administrator).
Derick Anderson
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]