Solved

2003 lockout

Posted on 2011-02-16
24
385 Views
Last Modified: 2013-11-05
In the same way that you can make certain domain accounts exempt from password expiration, can make domain accounts exempt from account lockout policies as well. for example important domain accounts running as services, all you need is some geneal prankster purposelly getting the password wrong all the time to get it locked out. isnt this seen as a problem?

Its a 2003 functional domain...

also, do service accounts have a last login stamp, to see if they are still in use, if yes how so - if they arent interacitvely logging into servers/domains, if not, do you know of any other way to detemrine if they are still in use as oppsoed to disbaling them and seeing what breaks/fails...
0
Comment
Question by:pma111
  • 11
  • 10
  • 2
  • +1
24 Comments
 
LVL 1

Assisted Solution

by:TheAnvilGroup
TheAnvilGroup earned 25 total points
ID: 34906644
To configure account lockout in a domain environment you typically use the Default Domain Policy, a Group Policy Object (GPO) linked to the domain. The relevant Group Policy settings are found under:

Computer Configuration
     Windows Settings
          Security Settings
               Account Policies
                    Account Lockout Policy

Hope this helps
0
 
LVL 33

Accepted Solution

by:
paulmacd earned 75 total points
ID: 34906651
Yes it is possible to exempt users, groups and OUs from group policies by DENYing them READ permission to the policy.  

As to the other, you may be able to set up some sort of auditing to follow what service accounts are doing.
0
 
LVL 3

Author Comment

by:pma111
ID: 34906674
paulmacd:

Can you show me how, or provide a link how this is done.
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 34906713
Here are two good ones:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true

http://technet.microsoft.com/en-us/library/bb742376.aspx

Essentially, on the Group Policy tab of your container, select the GPO and click Properties.  You'll see a Security tab where you can control the GPO application.
0
 
LVL 1

Expert Comment

by:TheAnvilGroup
ID: 34906741
0
 
LVL 41

Assisted Solution

by:Amit
Amit earned 25 total points
ID: 34906776
Check this free tool

http://joeware.net/freetools/tools/unlock/index.htm

I am using it from last 2 years without any issue. You can batch it and email it to you.
0
 
LVL 3

Author Comment

by:pma111
ID: 34907124
Thanks for all the advice...

Put another way then... if domain accounts in a 2003 functional domain can become exempt from domain policies, how can I identify every account exempt from the domain password policy? Is it easy to do.

So I want to say these 400 users are subject to the password policy (complexity, lockout, expiry reuse etc), but these 45 arent. Thats my task I would really like to do...

If I run MBSA on a domain controller is does list users whose passwords dont expire, but I want any exemption so expiry, lockout, complexity etc etc.
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 34907324
The easiest way would be to make a group - something like "Exempt From Password Policy" - and put those accounts in that group, then apply permissions to the group in the GPO.
0
 
LVL 3

Author Comment

by:pma111
ID: 34907359
So my wording was wrong. ...

I want to check the current/existing configuration setup....

i.e. I want to see as of today, 450 are subject to this domain password policy, 50 arent, these are the 50 that arent...
0
 
LVL 3

Author Comment

by:pma111
ID: 34907386
ps - can you view gp details/settings in the ADUC console, or is it another tool?
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 34907502
I'm not aware of any utility that will show you the RSOP for every object in AD, but there may be one.

Since a password policy is generally something that would apply to everyone, the No Override property should be set.  If you can verify that, then it's just a matter of looking at the permissions because that would be the only way to block inheritance/policy application.
0
 
LVL 3

Author Comment

by:pma111
ID: 34907990
Can you remind me how I will check if the no overide policy I set...,
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 33

Expert Comment

by:paulmacd
ID: 34908034
When you bring up the properties for the container, select a GPO and click the Options... button.  You'll see the No Override setting there.
0
 
LVL 3

Author Comment

by:pma111
ID: 34908051
I'm not familair with ad gpo tools, when you say bring up the container, in what software are you viewing this...
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 34908071
In Active Directory Users and Computers:
Select the Domain or an OU.
Right-click and select Properties.
Select the Group Policy tab.
0
 
LVL 3

Author Comment

by:pma111
ID: 34916283
I have got ADUC console on machine, right clicked the domain and on group policy tab it lists the following fields:

group policy objct links / no overdide / disable

There is no tick in "no overide" for any group policy object links

So.... how can I now check who is potentially overiding that policy around password complexity / expiry / account lockout
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 34916764
You can use the RSOP snap-in:
http://www.microsoft.com/windowsxp/using/setup/expert/rsop.mspx

or the GPResult command:
http://www.microsoft.com/windowsxp/using/setup/expert/gpresults.mspx

They'll give you similar information about what policies apply to a particular user/computer.
0
 
LVL 3

Author Comment

by:pma111
ID: 34916843
So if I get a list of 50 users who I suspect may not be part of this password policy, running gpresult from my workstation will give me that information? Or are you saying id have to run gpresult on each of the 50 users wokrstation who I suspect may not be part of this password policy? Theres got to be an easier way that that surely...
0
 
LVL 3

Author Comment

by:pma111
ID: 34916868
Will solution 1 (RSOP snap-in) work if I am not a domain administrator? I dont even have local admin rights on my machine but I could probably get the snap in installed, Im just not sure if without domain admin rights I could query every users policies. It is users I am after not machines
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 34917052
Both would have to be run 50 times - and why not?  There may be several combinations of users/computers that end up with different RSOPs.  

That said, unless your AD configuration is a mess, it's unlikely there are more than a few possible outcomes so you should only have to run either utility against a subset of possible combinations.

0
 
LVL 3

Author Comment

by:pma111
ID: 34917117
Its a shame there isnt one single tool that you can rule to see what policies the user actually gets applied. So I could specify "policy" A and it would list all users who get that policy, and all users that dont,. Im amazed there isnt such a tool for what must be such a common test/requirement for administrators.
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 34917263
Mmm.  Maybe.  Users tend to be grouped so if one user is typical of a group, you'd only need to test against that one user.  Also, as an administrator, I would already know what policies apply to what users because I'd be deploying those policies with the intent of having a certain effect.

That said, there may be a utility out there that does what you want.  I simply don't know of one.  Sorry!`
0
 
LVL 3

Author Comment

by:pma111
ID: 34917309
Yeah I appreciate that so finanace as a group would get the password policy yet a group called service accounts may not. Its just identifying all the groups the mor powerful domain accounts are members of. I can easily enumerate a list of domain admins..
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 34917367
You can see what groups a user belongs to by opening the properties for the user object and selecting the "Member Of" tab.  You probably know that.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now