Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 393
  • Last Modified:

2003 lockout

In the same way that you can make certain domain accounts exempt from password expiration, can make domain accounts exempt from account lockout policies as well. for example important domain accounts running as services, all you need is some geneal prankster purposelly getting the password wrong all the time to get it locked out. isnt this seen as a problem?

Its a 2003 functional domain...

also, do service accounts have a last login stamp, to see if they are still in use, if yes how so - if they arent interacitvely logging into servers/domains, if not, do you know of any other way to detemrine if they are still in use as oppsoed to disbaling them and seeing what breaks/fails...
0
pma111
Asked:
pma111
  • 11
  • 10
  • 2
  • +1
3 Solutions
 
TheAnvilGroupCommented:
To configure account lockout in a domain environment you typically use the Default Domain Policy, a Group Policy Object (GPO) linked to the domain. The relevant Group Policy settings are found under:

Computer Configuration
     Windows Settings
          Security Settings
               Account Policies
                    Account Lockout Policy

Hope this helps
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Yes it is possible to exempt users, groups and OUs from group policies by DENYing them READ permission to the policy.  

As to the other, you may be able to set up some sort of auditing to follow what service accounts are doing.
0
 
pma111Author Commented:
paulmacd:

Can you show me how, or provide a link how this is done.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Paul MacDonaldDirector, Information SystemsCommented:
Here are two good ones:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true

http://technet.microsoft.com/en-us/library/bb742376.aspx

Essentially, on the Group Policy tab of your container, select the GPO and click Properties.  You'll see a Security tab where you can control the GPO application.
0
 
AmitIT ArchitectCommented:
Check this free tool

http://joeware.net/freetools/tools/unlock/index.htm

I am using it from last 2 years without any issue. You can batch it and email it to you.
0
 
pma111Author Commented:
Thanks for all the advice...

Put another way then... if domain accounts in a 2003 functional domain can become exempt from domain policies, how can I identify every account exempt from the domain password policy? Is it easy to do.

So I want to say these 400 users are subject to the password policy (complexity, lockout, expiry reuse etc), but these 45 arent. Thats my task I would really like to do...

If I run MBSA on a domain controller is does list users whose passwords dont expire, but I want any exemption so expiry, lockout, complexity etc etc.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
The easiest way would be to make a group - something like "Exempt From Password Policy" - and put those accounts in that group, then apply permissions to the group in the GPO.
0
 
pma111Author Commented:
So my wording was wrong. ...

I want to check the current/existing configuration setup....

i.e. I want to see as of today, 450 are subject to this domain password policy, 50 arent, these are the 50 that arent...
0
 
pma111Author Commented:
ps - can you view gp details/settings in the ADUC console, or is it another tool?
0
 
Paul MacDonaldDirector, Information SystemsCommented:
I'm not aware of any utility that will show you the RSOP for every object in AD, but there may be one.

Since a password policy is generally something that would apply to everyone, the No Override property should be set.  If you can verify that, then it's just a matter of looking at the permissions because that would be the only way to block inheritance/policy application.
0
 
pma111Author Commented:
Can you remind me how I will check if the no overide policy I set...,
0
 
Paul MacDonaldDirector, Information SystemsCommented:
When you bring up the properties for the container, select a GPO and click the Options... button.  You'll see the No Override setting there.
0
 
pma111Author Commented:
I'm not familair with ad gpo tools, when you say bring up the container, in what software are you viewing this...
0
 
Paul MacDonaldDirector, Information SystemsCommented:
In Active Directory Users and Computers:
Select the Domain or an OU.
Right-click and select Properties.
Select the Group Policy tab.
0
 
pma111Author Commented:
I have got ADUC console on machine, right clicked the domain and on group policy tab it lists the following fields:

group policy objct links / no overdide / disable

There is no tick in "no overide" for any group policy object links

So.... how can I now check who is potentially overiding that policy around password complexity / expiry / account lockout
0
 
Paul MacDonaldDirector, Information SystemsCommented:
You can use the RSOP snap-in:
http://www.microsoft.com/windowsxp/using/setup/expert/rsop.mspx

or the GPResult command:
http://www.microsoft.com/windowsxp/using/setup/expert/gpresults.mspx

They'll give you similar information about what policies apply to a particular user/computer.
0
 
pma111Author Commented:
So if I get a list of 50 users who I suspect may not be part of this password policy, running gpresult from my workstation will give me that information? Or are you saying id have to run gpresult on each of the 50 users wokrstation who I suspect may not be part of this password policy? Theres got to be an easier way that that surely...
0
 
pma111Author Commented:
Will solution 1 (RSOP snap-in) work if I am not a domain administrator? I dont even have local admin rights on my machine but I could probably get the snap in installed, Im just not sure if without domain admin rights I could query every users policies. It is users I am after not machines
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Both would have to be run 50 times - and why not?  There may be several combinations of users/computers that end up with different RSOPs.  

That said, unless your AD configuration is a mess, it's unlikely there are more than a few possible outcomes so you should only have to run either utility against a subset of possible combinations.

0
 
pma111Author Commented:
Its a shame there isnt one single tool that you can rule to see what policies the user actually gets applied. So I could specify "policy" A and it would list all users who get that policy, and all users that dont,. Im amazed there isnt such a tool for what must be such a common test/requirement for administrators.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Mmm.  Maybe.  Users tend to be grouped so if one user is typical of a group, you'd only need to test against that one user.  Also, as an administrator, I would already know what policies apply to what users because I'd be deploying those policies with the intent of having a certain effect.

That said, there may be a utility out there that does what you want.  I simply don't know of one.  Sorry!`
0
 
pma111Author Commented:
Yeah I appreciate that so finanace as a group would get the password policy yet a group called service accounts may not. Its just identifying all the groups the mor powerful domain accounts are members of. I can easily enumerate a list of domain admins..
0
 
Paul MacDonaldDirector, Information SystemsCommented:
You can see what groups a user belongs to by opening the properties for the user object and selecting the "Member Of" tab.  You probably know that.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 11
  • 10
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now