Solved

Windows 2000 Server PASSPROP doesnt seem to work

Posted on 2003-10-22
14
487 Views
Last Modified: 2013-12-04
I've set the account lockout policy (both Domain and Local) to 5 attempts, and have run 'passprop /adminlockout'.

The normal user lockouts seem to work fine, although the Administrator account still never gets locked out no matter how many attempts.

If i run passprop it reports:

The Administrator account may be locked out except for interactive logons on a domain controller.

So it looks like its worked, but it still never locks the account!

Any help would me much appreciated!:)

PS: I'm connecting via a Terminal window, not the local server screen:)

0
Comment
Question by:lavajava
  • 5
  • 4
  • 2
  • +1
14 Comments
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9599490
Are you sure it didn't lock the account?  Does the lockout show up in the Event Viewer?  I'm currently under the assumption a Terminal Server connection still counts as a local logon, thus even if the Administrator's account was locked out connecting via Terminal Services would allow access.
0
 
LVL 2

Expert Comment

by:HO_leg
ID: 9605103
Did you say "Domain controller"? Passprop utility works only for LOCAL administrator account. There is no "local" acounts on Win2k DCs - all those accounts belongs to Active Directory - passprop (comes from win NT4 reskit) can't deal with AD (LDAP).
By the way, all restrictions for password and lockout you need to set on Default Domain Policy only - it goes down to all PCs. This part into other policies just doesn't work (by design).This part into Local policy works only for standaolone PC/Server - not a member of AD domain.
To prevent intruders to guess Administrator password on DC - just creat random password at least 18 char or more, write it down on paper and put the paper inside the deposit box. For administer your domain, use other account. After about 300-400 years of trying, may be somebody will hack your system. I don't care. Do you?
0
 

Author Comment

by:lavajava
ID: 9605279
Thanks for the comments.

Im still confused though, as all the notes i've read through say PASSPROP does allow the admin account to be locked out on a Windows 2000 Server, although it still allows you to login locally if you get locked out.

The PASSPROP im using is from the Windows 2000 resource kit, not the NT4 one.  From what i've read they are different versions.  Ie: the NT4 one doesnt work properly on 2K.

This is an extract from the W2K Server Security Checklist:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/chklist/w2ksvrcl.asp
=====================================
Because the Administrator account is built in to every copy of Windows 2000, it presents a well-known objective for attackers. To make it more difficult to attack the Administrator account, do the following both for the domain Administrator account and the local Administrator account on each server:

Rename the account to a nonobvious name (e.g., not "admin," "root," etc.).
Establish a decoy account named "Administrator" with no privileges. Scan the event log regularly looking for attempts to use this account.
Enable account lockout on the real Administrator accounts by using the passprop utility
Disable the local computer's Administrator account.
=====================================

This says, use PASSPROP on both the Domain and Local admin accounts.  So surley is supposed to work?
0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9606907
Microsoft Windows 2000 Resource Kit utility passprop.exe
Sets domain policy flags for password complexity and whether the administrator account can be locked out.

Passprop will not lock the administrator account from the console of a domain controller.  I would be unsurprised to find logon to a domain controller via Terminal Services bypasses this.
0
 

Author Comment

by:lavajava
ID: 9606963
But it should lock the account from everything but the console.

Can someone clarify this?

I cant believe you cant set a lockout policy for a domain admin.  This would mean all W2K systems can be brute-forced given enough time.
0
 
LVL 2

Expert Comment

by:HO_leg
ID: 9606979
Did you log in with "Administrator" account to run passprop? If you did, try to log in with another account with Domain administrator privileges.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:lavajava
ID: 9607113
I had done it with a 2nd admin account that had full priviledges.  

Just re-done it from the true admin account, and its still the same:(
0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9607464
What are you using to test whether the account is locked out?
0
 

Author Comment

by:lavajava
ID: 9607513
Connecting from another PC via Terminal Services.

Normal accounts lock out fine after 5 attempts, the admin account never does.

0
 
LVL 6

Accepted Solution

by:
bkoehler-mpr earned 250 total points
ID: 9608948
Test from a different local PC.

Passprop isn't designed to lock the Domain Admin account out from a Domain Controller, thus if you are connecting via Terminal Services to a Domain Controller I would expect you would be able to logon.
0
 

Author Comment

by:lavajava
ID: 9612656
I would expect PASSPROP to lock out everything but an Interactive Logon on the 'physical' console as the documentation says.

Although, i've just tried it from another XP machine (not via TS), and it still doesn't lock out.

Has anyone actually got PASSPROP working on a Windows 2000 Domain Controller?
0
 

Assisted Solution

by:reddsoda
reddsoda earned 250 total points
ID: 10478858
This thread has a nice explanation.  http://archives.neohapsis.com/archives/sf/ms/2001-q3/0407.html

According to him, if you're testing via terminal services, that's the same as a type 2 logon and not a type 3 which passprop uses.  Try it again via a mapped drive.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now