Windows 2000 Server PASSPROP doesnt seem to work

I've set the account lockout policy (both Domain and Local) to 5 attempts, and have run 'passprop /adminlockout'.

The normal user lockouts seem to work fine, although the Administrator account still never gets locked out no matter how many attempts.

If i run passprop it reports:

The Administrator account may be locked out except for interactive logons on a domain controller.

So it looks like its worked, but it still never locks the account!

Any help would me much appreciated!:)

PS: I'm connecting via a Terminal window, not the local server screen:)

lavajavaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bkoehler-mprCommented:
Are you sure it didn't lock the account?  Does the lockout show up in the Event Viewer?  I'm currently under the assumption a Terminal Server connection still counts as a local logon, thus even if the Administrator's account was locked out connecting via Terminal Services would allow access.
0
HO_legCommented:
Did you say "Domain controller"? Passprop utility works only for LOCAL administrator account. There is no "local" acounts on Win2k DCs - all those accounts belongs to Active Directory - passprop (comes from win NT4 reskit) can't deal with AD (LDAP).
By the way, all restrictions for password and lockout you need to set on Default Domain Policy only - it goes down to all PCs. This part into other policies just doesn't work (by design).This part into Local policy works only for standaolone PC/Server - not a member of AD domain.
To prevent intruders to guess Administrator password on DC - just creat random password at least 18 char or more, write it down on paper and put the paper inside the deposit box. For administer your domain, use other account. After about 300-400 years of trying, may be somebody will hack your system. I don't care. Do you?
0
lavajavaAuthor Commented:
Thanks for the comments.

Im still confused though, as all the notes i've read through say PASSPROP does allow the admin account to be locked out on a Windows 2000 Server, although it still allows you to login locally if you get locked out.

The PASSPROP im using is from the Windows 2000 resource kit, not the NT4 one.  From what i've read they are different versions.  Ie: the NT4 one doesnt work properly on 2K.

This is an extract from the W2K Server Security Checklist:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/chklist/w2ksvrcl.asp
=====================================
Because the Administrator account is built in to every copy of Windows 2000, it presents a well-known objective for attackers. To make it more difficult to attack the Administrator account, do the following both for the domain Administrator account and the local Administrator account on each server:

Rename the account to a nonobvious name (e.g., not "admin," "root," etc.).
Establish a decoy account named "Administrator" with no privileges. Scan the event log regularly looking for attempts to use this account.
Enable account lockout on the real Administrator accounts by using the passprop utility
Disable the local computer's Administrator account.
=====================================

This says, use PASSPROP on both the Domain and Local admin accounts.  So surley is supposed to work?
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

bkoehler-mprCommented:
Microsoft Windows 2000 Resource Kit utility passprop.exe
Sets domain policy flags for password complexity and whether the administrator account can be locked out.

Passprop will not lock the administrator account from the console of a domain controller.  I would be unsurprised to find logon to a domain controller via Terminal Services bypasses this.
0
lavajavaAuthor Commented:
But it should lock the account from everything but the console.

Can someone clarify this?

I cant believe you cant set a lockout policy for a domain admin.  This would mean all W2K systems can be brute-forced given enough time.
0
HO_legCommented:
Did you log in with "Administrator" account to run passprop? If you did, try to log in with another account with Domain administrator privileges.
0
lavajavaAuthor Commented:
I had done it with a 2nd admin account that had full priviledges.  

Just re-done it from the true admin account, and its still the same:(
0
bkoehler-mprCommented:
What are you using to test whether the account is locked out?
0
lavajavaAuthor Commented:
Connecting from another PC via Terminal Services.

Normal accounts lock out fine after 5 attempts, the admin account never does.

0
bkoehler-mprCommented:
Test from a different local PC.

Passprop isn't designed to lock the Domain Admin account out from a Domain Controller, thus if you are connecting via Terminal Services to a Domain Controller I would expect you would be able to logon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lavajavaAuthor Commented:
I would expect PASSPROP to lock out everything but an Interactive Logon on the 'physical' console as the documentation says.

Although, i've just tried it from another XP machine (not via TS), and it still doesn't lock out.

Has anyone actually got PASSPROP working on a Windows 2000 Domain Controller?
0
reddsodaCommented:
This thread has a nice explanation.  http://archives.neohapsis.com/archives/sf/ms/2001-q3/0407.html

According to him, if you're testing via terminal services, that's the same as a type 2 logon and not a type 3 which passprop uses.  Try it again via a mapped drive.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.