Solved

2003 lockout

Posted on 2011-02-16
24
386 Views
Last Modified: 2013-11-05
In the same way that you can make certain domain accounts exempt from password expiration, can make domain accounts exempt from account lockout policies as well. for example important domain accounts running as services, all you need is some geneal prankster purposelly getting the password wrong all the time to get it locked out. isnt this seen as a problem?

Its a 2003 functional domain...

also, do service accounts have a last login stamp, to see if they are still in use, if yes how so - if they arent interacitvely logging into servers/domains, if not, do you know of any other way to detemrine if they are still in use as oppsoed to disbaling them and seeing what breaks/fails...
0
Comment
Question by:pma111
  • 11
  • 10
  • 2
  • +1
24 Comments
 
LVL 1

Assisted Solution

by:TheAnvilGroup
TheAnvilGroup earned 25 total points
ID: 34906644
To configure account lockout in a domain environment you typically use the Default Domain Policy, a Group Policy Object (GPO) linked to the domain. The relevant Group Policy settings are found under:

Computer Configuration
     Windows Settings
          Security Settings
               Account Policies
                    Account Lockout Policy

Hope this helps
0
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 75 total points
ID: 34906651
Yes it is possible to exempt users, groups and OUs from group policies by DENYing them READ permission to the policy.  

As to the other, you may be able to set up some sort of auditing to follow what service accounts are doing.
0
 
LVL 3

Author Comment

by:pma111
ID: 34906674
paulmacd:

Can you show me how, or provide a link how this is done.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34906713
Here are two good ones:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true

http://technet.microsoft.com/en-us/library/bb742376.aspx

Essentially, on the Group Policy tab of your container, select the GPO and click Properties.  You'll see a Security tab where you can control the GPO application.
0
 
LVL 1

Expert Comment

by:TheAnvilGroup
ID: 34906741
0
 
LVL 42

Assisted Solution

by:Amit
Amit earned 25 total points
ID: 34906776
Check this free tool

http://joeware.net/freetools/tools/unlock/index.htm

I am using it from last 2 years without any issue. You can batch it and email it to you.
0
 
LVL 3

Author Comment

by:pma111
ID: 34907124
Thanks for all the advice...

Put another way then... if domain accounts in a 2003 functional domain can become exempt from domain policies, how can I identify every account exempt from the domain password policy? Is it easy to do.

So I want to say these 400 users are subject to the password policy (complexity, lockout, expiry reuse etc), but these 45 arent. Thats my task I would really like to do...

If I run MBSA on a domain controller is does list users whose passwords dont expire, but I want any exemption so expiry, lockout, complexity etc etc.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34907324
The easiest way would be to make a group - something like "Exempt From Password Policy" - and put those accounts in that group, then apply permissions to the group in the GPO.
0
 
LVL 3

Author Comment

by:pma111
ID: 34907359
So my wording was wrong. ...

I want to check the current/existing configuration setup....

i.e. I want to see as of today, 450 are subject to this domain password policy, 50 arent, these are the 50 that arent...
0
 
LVL 3

Author Comment

by:pma111
ID: 34907386
ps - can you view gp details/settings in the ADUC console, or is it another tool?
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34907502
I'm not aware of any utility that will show you the RSOP for every object in AD, but there may be one.

Since a password policy is generally something that would apply to everyone, the No Override property should be set.  If you can verify that, then it's just a matter of looking at the permissions because that would be the only way to block inheritance/policy application.
0
 
LVL 3

Author Comment

by:pma111
ID: 34907990
Can you remind me how I will check if the no overide policy I set...,
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34908034
When you bring up the properties for the container, select a GPO and click the Options... button.  You'll see the No Override setting there.
0
 
LVL 3

Author Comment

by:pma111
ID: 34908051
I'm not familair with ad gpo tools, when you say bring up the container, in what software are you viewing this...
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34908071
In Active Directory Users and Computers:
Select the Domain or an OU.
Right-click and select Properties.
Select the Group Policy tab.
0
 
LVL 3

Author Comment

by:pma111
ID: 34916283
I have got ADUC console on machine, right clicked the domain and on group policy tab it lists the following fields:

group policy objct links / no overdide / disable

There is no tick in "no overide" for any group policy object links

So.... how can I now check who is potentially overiding that policy around password complexity / expiry / account lockout
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34916764
You can use the RSOP snap-in:
http://www.microsoft.com/windowsxp/using/setup/expert/rsop.mspx

or the GPResult command:
http://www.microsoft.com/windowsxp/using/setup/expert/gpresults.mspx

They'll give you similar information about what policies apply to a particular user/computer.
0
 
LVL 3

Author Comment

by:pma111
ID: 34916843
So if I get a list of 50 users who I suspect may not be part of this password policy, running gpresult from my workstation will give me that information? Or are you saying id have to run gpresult on each of the 50 users wokrstation who I suspect may not be part of this password policy? Theres got to be an easier way that that surely...
0
 
LVL 3

Author Comment

by:pma111
ID: 34916868
Will solution 1 (RSOP snap-in) work if I am not a domain administrator? I dont even have local admin rights on my machine but I could probably get the snap in installed, Im just not sure if without domain admin rights I could query every users policies. It is users I am after not machines
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34917052
Both would have to be run 50 times - and why not?  There may be several combinations of users/computers that end up with different RSOPs.  

That said, unless your AD configuration is a mess, it's unlikely there are more than a few possible outcomes so you should only have to run either utility against a subset of possible combinations.

0
 
LVL 3

Author Comment

by:pma111
ID: 34917117
Its a shame there isnt one single tool that you can rule to see what policies the user actually gets applied. So I could specify "policy" A and it would list all users who get that policy, and all users that dont,. Im amazed there isnt such a tool for what must be such a common test/requirement for administrators.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34917263
Mmm.  Maybe.  Users tend to be grouped so if one user is typical of a group, you'd only need to test against that one user.  Also, as an administrator, I would already know what policies apply to what users because I'd be deploying those policies with the intent of having a certain effect.

That said, there may be a utility out there that does what you want.  I simply don't know of one.  Sorry!`
0
 
LVL 3

Author Comment

by:pma111
ID: 34917309
Yeah I appreciate that so finanace as a group would get the password policy yet a group called service accounts may not. Its just identifying all the groups the mor powerful domain accounts are members of. I can easily enumerate a list of domain admins..
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34917367
You can see what groups a user belongs to by opening the properties for the user object and selecting the "Member Of" tab.  You probably know that.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now