AD Security

Where we can find this and how we can deploy the following settings:

minPwdAge (Days)                            Current 0 Recommended 1
DOMAIN_PASSWORD_NO_ANON_CHANGE      Current DISABLED Recommended ENABLED
DOMAIN_PASSWORD_NO_CLEAR_CHANGE      Current DISABLED Recommended ENABLED
DOMAIN_LOCKOUT_ADMINS            Current DISABLED Recommended ENABLED

Thanks!
LVL 35
Nirmal SharmaSolution ArchitectAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
PberConnect With a Mentor Solutions ArchitectCommented:
I only found one...

minPwdAge (Days):
 
Load the default domain policy GPO
Navigate to:
minPwdAge (Days)  
Computer configuration\Windows Settings\Security Settings\Password Policy
Change Minimum Password Ago to 1

the rest appear to be additional password properties flags as per MSDN
http://windowssdk.msdn.microsoft.com/en-us/library/ms718417.aspx

Where did you get this recommendation.  Allowing the Domain admins account to be locked out could be bad effects.  A malicious user can just willingly lock out your admin account.


0
 
Kevin HaysConnect With a Mentor IT AnalystCommented:
Along with Pber, this can only be applied at the domain level.  The min password age is the amount of days that is required before the user can change the password again.  It will keep the savy people from changing the password over and over in the same day just so they can use their old one again.

As for locking out the admin account auditing should be done to see if any attempts are made to login using that account.  Simple measures of just renaming the admin account will discourage some people, but the really savy guys can still find out which account is the admin or has admin privileges from the SID.

Download group policy management console or just go and edit the gpo by using group policies for the default domain policy.  I'm taking you are not familiar with groups policies correct?

cheers
0
All Courses

From novice to tech pro — start learning today.