?
Solved

AD Security

Posted on 2006-07-21
4
Medium Priority
?
363 Views
Last Modified: 2008-02-01
Where we can find this and how we can deploy the following settings:

minPwdAge (Days)                            Current 0 Recommended 1
DOMAIN_PASSWORD_NO_ANON_CHANGE      Current DISABLED Recommended ENABLED
DOMAIN_PASSWORD_NO_CLEAR_CHANGE      Current DISABLED Recommended ENABLED
DOMAIN_LOCKOUT_ADMINS            Current DISABLED Recommended ENABLED

Thanks!
0
Comment
Question by:Nirmal Sharma
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 1000 total points
ID: 17153520
I only found one...

minPwdAge (Days):
 
Load the default domain policy GPO
Navigate to:
minPwdAge (Days)  
Computer configuration\Windows Settings\Security Settings\Password Policy
Change Minimum Password Ago to 1

the rest appear to be additional password properties flags as per MSDN
http://windowssdk.msdn.microsoft.com/en-us/library/ms718417.aspx

Where did you get this recommendation.  Allowing the Domain admins account to be locked out could be bad effects.  A malicious user can just willingly lock out your admin account.


0
 
LVL 16

Assisted Solution

by:Kevin Hays
Kevin Hays earned 1000 total points
ID: 17156523
Along with Pber, this can only be applied at the domain level.  The min password age is the amount of days that is required before the user can change the password again.  It will keep the savy people from changing the password over and over in the same day just so they can use their old one again.

As for locking out the admin account auditing should be done to see if any attempts are made to login using that account.  Simple measures of just renaming the admin account will discourage some people, but the really savy guys can still find out which account is the admin or has admin privileges from the SID.

Download group policy management console or just go and edit the gpo by using group policies for the default domain policy.  I'm taking you are not familiar with groups policies correct?

cheers
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question