Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

AD Security

Posted on 2006-07-21
4
358 Views
Last Modified: 2008-02-01
Where we can find this and how we can deploy the following settings:

minPwdAge (Days)                            Current 0 Recommended 1
DOMAIN_PASSWORD_NO_ANON_CHANGE      Current DISABLED Recommended ENABLED
DOMAIN_PASSWORD_NO_CLEAR_CHANGE      Current DISABLED Recommended ENABLED
DOMAIN_LOCKOUT_ADMINS            Current DISABLED Recommended ENABLED

Thanks!
0
Comment
Question by:Nirmal Sharma
4 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 250 total points
ID: 17153520
I only found one...

minPwdAge (Days):
 
Load the default domain policy GPO
Navigate to:
minPwdAge (Days)  
Computer configuration\Windows Settings\Security Settings\Password Policy
Change Minimum Password Ago to 1

the rest appear to be additional password properties flags as per MSDN
http://windowssdk.msdn.microsoft.com/en-us/library/ms718417.aspx

Where did you get this recommendation.  Allowing the Domain admins account to be locked out could be bad effects.  A malicious user can just willingly lock out your admin account.


0
 
LVL 16

Assisted Solution

by:kshays
kshays earned 250 total points
ID: 17156523
Along with Pber, this can only be applied at the domain level.  The min password age is the amount of days that is required before the user can change the password again.  It will keep the savy people from changing the password over and over in the same day just so they can use their old one again.

As for locking out the admin account auditing should be done to see if any attempts are made to login using that account.  Simple measures of just renaming the admin account will discourage some people, but the really savy guys can still find out which account is the admin or has admin privileges from the SID.

Download group policy management console or just go and edit the gpo by using group policies for the default domain policy.  I'm taking you are not familiar with groups policies correct?

cheers
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question