Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

2003 lockout

In the same way that you can make certain domain accounts exempt from password expiration, can make domain accounts exempt from account lockout policies as well. for example important domain accounts running as services, all you need is some geneal prankster purposelly getting the password wrong all the time to get it locked out. isnt this seen as a problem?

Its a 2003 functional domain...

also, do service accounts have a last login stamp, to see if they are still in use, if yes how so - if they arent interacitvely logging into servers/domains, if not, do you know of any other way to detemrine if they are still in use as oppsoed to disbaling them and seeing what breaks/fails...
SOLUTION
Avatar of TheAnvilGroup
TheAnvilGroup
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

paulmacd:

Can you show me how, or provide a link how this is done.
Here are two good ones:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true

http://technet.microsoft.com/en-us/library/bb742376.aspx

Essentially, on the Group Policy tab of your container, select the GPO and click Properties.  You'll see a Security tab where you can control the GPO application.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo

ASKER

Thanks for all the advice...

Put another way then... if domain accounts in a 2003 functional domain can become exempt from domain policies, how can I identify every account exempt from the domain password policy? Is it easy to do.

So I want to say these 400 users are subject to the password policy (complexity, lockout, expiry reuse etc), but these 45 arent. Thats my task I would really like to do...

If I run MBSA on a domain controller is does list users whose passwords dont expire, but I want any exemption so expiry, lockout, complexity etc etc.
The easiest way would be to make a group - something like "Exempt From Password Policy" - and put those accounts in that group, then apply permissions to the group in the GPO.
Avatar of Pau Lo

ASKER

So my wording was wrong. ...

I want to check the current/existing configuration setup....

i.e. I want to see as of today, 450 are subject to this domain password policy, 50 arent, these are the 50 that arent...
Avatar of Pau Lo

ASKER

ps - can you view gp details/settings in the ADUC console, or is it another tool?
I'm not aware of any utility that will show you the RSOP for every object in AD, but there may be one.

Since a password policy is generally something that would apply to everyone, the No Override property should be set.  If you can verify that, then it's just a matter of looking at the permissions because that would be the only way to block inheritance/policy application.
Avatar of Pau Lo

ASKER

Can you remind me how I will check if the no overide policy I set...,
When you bring up the properties for the container, select a GPO and click the Options... button.  You'll see the No Override setting there.
Avatar of Pau Lo

ASKER

I'm not familair with ad gpo tools, when you say bring up the container, in what software are you viewing this...
In Active Directory Users and Computers:
Select the Domain or an OU.
Right-click and select Properties.
Select the Group Policy tab.
Avatar of Pau Lo

ASKER

I have got ADUC console on machine, right clicked the domain and on group policy tab it lists the following fields:

group policy objct links / no overdide / disable

There is no tick in "no overide" for any group policy object links

So.... how can I now check who is potentially overiding that policy around password complexity / expiry / account lockout
You can use the RSOP snap-in:
http://www.microsoft.com/windowsxp/using/setup/expert/rsop.mspx

or the GPResult command:
http://www.microsoft.com/windowsxp/using/setup/expert/gpresults.mspx

They'll give you similar information about what policies apply to a particular user/computer.
Avatar of Pau Lo

ASKER

So if I get a list of 50 users who I suspect may not be part of this password policy, running gpresult from my workstation will give me that information? Or are you saying id have to run gpresult on each of the 50 users wokrstation who I suspect may not be part of this password policy? Theres got to be an easier way that that surely...
Avatar of Pau Lo

ASKER

Will solution 1 (RSOP snap-in) work if I am not a domain administrator? I dont even have local admin rights on my machine but I could probably get the snap in installed, Im just not sure if without domain admin rights I could query every users policies. It is users I am after not machines
Both would have to be run 50 times - and why not?  There may be several combinations of users/computers that end up with different RSOPs.  

That said, unless your AD configuration is a mess, it's unlikely there are more than a few possible outcomes so you should only have to run either utility against a subset of possible combinations.

Avatar of Pau Lo

ASKER

Its a shame there isnt one single tool that you can rule to see what policies the user actually gets applied. So I could specify "policy" A and it would list all users who get that policy, and all users that dont,. Im amazed there isnt such a tool for what must be such a common test/requirement for administrators.
Mmm.  Maybe.  Users tend to be grouped so if one user is typical of a group, you'd only need to test against that one user.  Also, as an administrator, I would already know what policies apply to what users because I'd be deploying those policies with the intent of having a certain effect.

That said, there may be a utility out there that does what you want.  I simply don't know of one.  Sorry!`
Avatar of Pau Lo

ASKER

Yeah I appreciate that so finanace as a group would get the password policy yet a group called service accounts may not. Its just identifying all the groups the mor powerful domain accounts are members of. I can easily enumerate a list of domain admins..
You can see what groups a user belongs to by opening the properties for the user object and selecting the "Member Of" tab.  You probably know that.