Solved

AD Security

Posted on 2006-07-21
4
355 Views
Last Modified: 2008-02-01
Where we can find this and how we can deploy the following settings:

minPwdAge (Days)                            Current 0 Recommended 1
DOMAIN_PASSWORD_NO_ANON_CHANGE      Current DISABLED Recommended ENABLED
DOMAIN_PASSWORD_NO_CLEAR_CHANGE      Current DISABLED Recommended ENABLED
DOMAIN_LOCKOUT_ADMINS            Current DISABLED Recommended ENABLED

Thanks!
0
Comment
Question by:Nick Sui
4 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 250 total points
ID: 17153520
I only found one...

minPwdAge (Days):
 
Load the default domain policy GPO
Navigate to:
minPwdAge (Days)  
Computer configuration\Windows Settings\Security Settings\Password Policy
Change Minimum Password Ago to 1

the rest appear to be additional password properties flags as per MSDN
http://windowssdk.msdn.microsoft.com/en-us/library/ms718417.aspx

Where did you get this recommendation.  Allowing the Domain admins account to be locked out could be bad effects.  A malicious user can just willingly lock out your admin account.


0
 
LVL 16

Assisted Solution

by:kshays
kshays earned 250 total points
ID: 17156523
Along with Pber, this can only be applied at the domain level.  The min password age is the amount of days that is required before the user can change the password again.  It will keep the savy people from changing the password over and over in the same day just so they can use their old one again.

As for locking out the admin account auditing should be done to see if any attempts are made to login using that account.  Simple measures of just renaming the admin account will discourage some people, but the really savy guys can still find out which account is the admin or has admin privileges from the SID.

Download group policy management console or just go and edit the gpo by using group policies for the default domain policy.  I'm taking you are not familiar with groups policies correct?

cheers
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now