Actually, the local admin account can be locked out (at least post-2000).
Test it out. :-)
Laura
> -----Original Message-----
> From: Bates, Chris [mailto:Chris.Bates (at) nwdc (dot) net [email concealed]]
> Sent: Thursday, October 20, 2005 1:48 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: FW: Account Lockout Policy
>
> You can change the local policy on the machine, or filter a
> GPO to only apply to that machine.
> But if they are using the hardcoded local admin, it can't be
> locked out.
> MS Safety feature I guess.
>
>
> ----------------------------------------------------------------------
> Chris Bates (CISSP)
> Infrastructure Management Consultant
> ACS Inc. (Enterprise Services; NWDC)
> Chris.Bates (at) nwdc (dot) net [email concealed]
>
>
> -----Original Message-----
> From: Derick Anderson [mailto:danderson (at) vikus (dot) com [email concealed]]
> Sent: Thursday, October 20, 2005 8:59 AM
> To: Shabbar Arsiwala; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Account Lockout Policy
>
>
>
> > -----Original Message-----
> > From: Shabbar Arsiwala [mailto:sarsiwala (at) obleness (dot) org [email concealed]]
> > Sent: Thursday, October 20, 2005 9:07 AM
> > To: focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: Account Lockout Policy
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > We have an account lockout policy setup for users on our domain Win
> > 2K3 / Active Directory environment. 4 invalid attempts the account
> > locks out / 30 mins the account is released. We would like
> to change
> > this policy for one the machines on our domain. This machine uses a
> > local administrator account to log in.
> >
> > Is this possible ???
> >
> > Thanks,
> > Shabbar
>
> It is possible to change the *local* machine account lockout
> policy for a specific machine, but not the *domain* lockout
> policy. To do this you need to put your *domain* password
> policy in the Domain Controllers OU, create a separate OU for
> this one machine, make a new policy with the desired lockout
> settings, and link it to the single machine's OU. This will
> only work for *local* accounts (such as MACHINE\Administrator), not
> *domain* accounts (DOMAIN\Administrator).
>
> Derick Anderson
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
Test it out. :-)
Laura
> -----Original Message-----
> From: Bates, Chris [mailto:Chris.Bates (at) nwdc (dot) net [email concealed]]
> Sent: Thursday, October 20, 2005 1:48 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: FW: Account Lockout Policy
>
> You can change the local policy on the machine, or filter a
> GPO to only apply to that machine.
> But if they are using the hardcoded local admin, it can't be
> locked out.
> MS Safety feature I guess.
>
>
> ----------------------------------------------------------------------
> Chris Bates (CISSP)
> Infrastructure Management Consultant
> ACS Inc. (Enterprise Services; NWDC)
> Chris.Bates (at) nwdc (dot) net [email concealed]
>
>
> -----Original Message-----
> From: Derick Anderson [mailto:danderson (at) vikus (dot) com [email concealed]]
> Sent: Thursday, October 20, 2005 8:59 AM
> To: Shabbar Arsiwala; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Account Lockout Policy
>
>
>
> > -----Original Message-----
> > From: Shabbar Arsiwala [mailto:sarsiwala (at) obleness (dot) org [email concealed]]
> > Sent: Thursday, October 20, 2005 9:07 AM
> > To: focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: Account Lockout Policy
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > We have an account lockout policy setup for users on our domain Win
> > 2K3 / Active Directory environment. 4 invalid attempts the account
> > locks out / 30 mins the account is released. We would like
> to change
> > this policy for one the machines on our domain. This machine uses a
> > local administrator account to log in.
> >
> > Is this possible ???
> >
> > Thanks,
> > Shabbar
>
> It is possible to change the *local* machine account lockout
> policy for a specific machine, but not the *domain* lockout
> policy. To do this you need to put your *domain* password
> policy in the Domain Controllers OU, create a separate OU for
> this one machine, make a new policy with the desired lockout
> settings, and link it to the single machine's OU. This will
> only work for *local* accounts (such as MACHINE\Administrator), not
> *domain* accounts (DOMAIN\Administrator).
>
> Derick Anderson
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]