Solved

Windows 2000 Server PASSPROP doesnt seem to work

Posted on 2003-10-22
14
486 Views
Last Modified: 2013-12-04
I've set the account lockout policy (both Domain and Local) to 5 attempts, and have run 'passprop /adminlockout'.

The normal user lockouts seem to work fine, although the Administrator account still never gets locked out no matter how many attempts.

If i run passprop it reports:

The Administrator account may be locked out except for interactive logons on a domain controller.

So it looks like its worked, but it still never locks the account!

Any help would me much appreciated!:)

PS: I'm connecting via a Terminal window, not the local server screen:)

0
Comment
Question by:lavajava
  • 5
  • 4
  • 2
  • +1
14 Comments
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9599490
Are you sure it didn't lock the account?  Does the lockout show up in the Event Viewer?  I'm currently under the assumption a Terminal Server connection still counts as a local logon, thus even if the Administrator's account was locked out connecting via Terminal Services would allow access.
0
 
LVL 2

Expert Comment

by:HO_leg
ID: 9605103
Did you say "Domain controller"? Passprop utility works only for LOCAL administrator account. There is no "local" acounts on Win2k DCs - all those accounts belongs to Active Directory - passprop (comes from win NT4 reskit) can't deal with AD (LDAP).
By the way, all restrictions for password and lockout you need to set on Default Domain Policy only - it goes down to all PCs. This part into other policies just doesn't work (by design).This part into Local policy works only for standaolone PC/Server - not a member of AD domain.
To prevent intruders to guess Administrator password on DC - just creat random password at least 18 char or more, write it down on paper and put the paper inside the deposit box. For administer your domain, use other account. After about 300-400 years of trying, may be somebody will hack your system. I don't care. Do you?
0
 

Author Comment

by:lavajava
ID: 9605279
Thanks for the comments.

Im still confused though, as all the notes i've read through say PASSPROP does allow the admin account to be locked out on a Windows 2000 Server, although it still allows you to login locally if you get locked out.

The PASSPROP im using is from the Windows 2000 resource kit, not the NT4 one.  From what i've read they are different versions.  Ie: the NT4 one doesnt work properly on 2K.

This is an extract from the W2K Server Security Checklist:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/chklist/w2ksvrcl.asp
=====================================
Because the Administrator account is built in to every copy of Windows 2000, it presents a well-known objective for attackers. To make it more difficult to attack the Administrator account, do the following both for the domain Administrator account and the local Administrator account on each server:

Rename the account to a nonobvious name (e.g., not "admin," "root," etc.).
Establish a decoy account named "Administrator" with no privileges. Scan the event log regularly looking for attempts to use this account.
Enable account lockout on the real Administrator accounts by using the passprop utility
Disable the local computer's Administrator account.
=====================================

This says, use PASSPROP on both the Domain and Local admin accounts.  So surley is supposed to work?
0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9606907
Microsoft Windows 2000 Resource Kit utility passprop.exe
Sets domain policy flags for password complexity and whether the administrator account can be locked out.

Passprop will not lock the administrator account from the console of a domain controller.  I would be unsurprised to find logon to a domain controller via Terminal Services bypasses this.
0
 

Author Comment

by:lavajava
ID: 9606963
But it should lock the account from everything but the console.

Can someone clarify this?

I cant believe you cant set a lockout policy for a domain admin.  This would mean all W2K systems can be brute-forced given enough time.
0
 
LVL 2

Expert Comment

by:HO_leg
ID: 9606979
Did you log in with "Administrator" account to run passprop? If you did, try to log in with another account with Domain administrator privileges.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:lavajava
ID: 9607113
I had done it with a 2nd admin account that had full priviledges.  

Just re-done it from the true admin account, and its still the same:(
0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9607464
What are you using to test whether the account is locked out?
0
 

Author Comment

by:lavajava
ID: 9607513
Connecting from another PC via Terminal Services.

Normal accounts lock out fine after 5 attempts, the admin account never does.

0
 
LVL 6

Accepted Solution

by:
bkoehler-mpr earned 250 total points
ID: 9608948
Test from a different local PC.

Passprop isn't designed to lock the Domain Admin account out from a Domain Controller, thus if you are connecting via Terminal Services to a Domain Controller I would expect you would be able to logon.
0
 

Author Comment

by:lavajava
ID: 9612656
I would expect PASSPROP to lock out everything but an Interactive Logon on the 'physical' console as the documentation says.

Although, i've just tried it from another XP machine (not via TS), and it still doesn't lock out.

Has anyone actually got PASSPROP working on a Windows 2000 Domain Controller?
0
 

Assisted Solution

by:reddsoda
reddsoda earned 250 total points
ID: 10478858
This thread has a nice explanation.  http://archives.neohapsis.com/archives/sf/ms/2001-q3/0407.html

According to him, if you're testing via terminal services, that's the same as a type 2 logon and not a type 3 which passprop uses.  Try it again via a mapped drive.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now