Solved

Windows 2000 Server PASSPROP doesnt seem to work

Posted on 2003-10-22
14
492 Views
Last Modified: 2013-12-04
I've set the account lockout policy (both Domain and Local) to 5 attempts, and have run 'passprop /adminlockout'.

The normal user lockouts seem to work fine, although the Administrator account still never gets locked out no matter how many attempts.

If i run passprop it reports:

The Administrator account may be locked out except for interactive logons on a domain controller.

So it looks like its worked, but it still never locks the account!

Any help would me much appreciated!:)

PS: I'm connecting via a Terminal window, not the local server screen:)

0
Comment
Question by:lavajava
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
14 Comments
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9599490
Are you sure it didn't lock the account?  Does the lockout show up in the Event Viewer?  I'm currently under the assumption a Terminal Server connection still counts as a local logon, thus even if the Administrator's account was locked out connecting via Terminal Services would allow access.
0
 
LVL 2

Expert Comment

by:HO_leg
ID: 9605103
Did you say "Domain controller"? Passprop utility works only for LOCAL administrator account. There is no "local" acounts on Win2k DCs - all those accounts belongs to Active Directory - passprop (comes from win NT4 reskit) can't deal with AD (LDAP).
By the way, all restrictions for password and lockout you need to set on Default Domain Policy only - it goes down to all PCs. This part into other policies just doesn't work (by design).This part into Local policy works only for standaolone PC/Server - not a member of AD domain.
To prevent intruders to guess Administrator password on DC - just creat random password at least 18 char or more, write it down on paper and put the paper inside the deposit box. For administer your domain, use other account. After about 300-400 years of trying, may be somebody will hack your system. I don't care. Do you?
0
 

Author Comment

by:lavajava
ID: 9605279
Thanks for the comments.

Im still confused though, as all the notes i've read through say PASSPROP does allow the admin account to be locked out on a Windows 2000 Server, although it still allows you to login locally if you get locked out.

The PASSPROP im using is from the Windows 2000 resource kit, not the NT4 one.  From what i've read they are different versions.  Ie: the NT4 one doesnt work properly on 2K.

This is an extract from the W2K Server Security Checklist:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/chklist/w2ksvrcl.asp
=====================================
Because the Administrator account is built in to every copy of Windows 2000, it presents a well-known objective for attackers. To make it more difficult to attack the Administrator account, do the following both for the domain Administrator account and the local Administrator account on each server:

Rename the account to a nonobvious name (e.g., not "admin," "root," etc.).
Establish a decoy account named "Administrator" with no privileges. Scan the event log regularly looking for attempts to use this account.
Enable account lockout on the real Administrator accounts by using the passprop utility
Disable the local computer's Administrator account.
=====================================

This says, use PASSPROP on both the Domain and Local admin accounts.  So surley is supposed to work?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9606907
Microsoft Windows 2000 Resource Kit utility passprop.exe
Sets domain policy flags for password complexity and whether the administrator account can be locked out.

Passprop will not lock the administrator account from the console of a domain controller.  I would be unsurprised to find logon to a domain controller via Terminal Services bypasses this.
0
 

Author Comment

by:lavajava
ID: 9606963
But it should lock the account from everything but the console.

Can someone clarify this?

I cant believe you cant set a lockout policy for a domain admin.  This would mean all W2K systems can be brute-forced given enough time.
0
 
LVL 2

Expert Comment

by:HO_leg
ID: 9606979
Did you log in with "Administrator" account to run passprop? If you did, try to log in with another account with Domain administrator privileges.
0
 

Author Comment

by:lavajava
ID: 9607113
I had done it with a 2nd admin account that had full priviledges.  

Just re-done it from the true admin account, and its still the same:(
0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9607464
What are you using to test whether the account is locked out?
0
 

Author Comment

by:lavajava
ID: 9607513
Connecting from another PC via Terminal Services.

Normal accounts lock out fine after 5 attempts, the admin account never does.

0
 
LVL 6

Accepted Solution

by:
bkoehler-mpr earned 250 total points
ID: 9608948
Test from a different local PC.

Passprop isn't designed to lock the Domain Admin account out from a Domain Controller, thus if you are connecting via Terminal Services to a Domain Controller I would expect you would be able to logon.
0
 

Author Comment

by:lavajava
ID: 9612656
I would expect PASSPROP to lock out everything but an Interactive Logon on the 'physical' console as the documentation says.

Although, i've just tried it from another XP machine (not via TS), and it still doesn't lock out.

Has anyone actually got PASSPROP working on a Windows 2000 Domain Controller?
0
 

Assisted Solution

by:reddsoda
reddsoda earned 250 total points
ID: 10478858
This thread has a nice explanation.  http://archives.neohapsis.com/archives/sf/ms/2001-q3/0407.html

According to him, if you're testing via terminal services, that's the same as a type 2 logon and not a type 3 which passprop uses.  Try it again via a mapped drive.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question