Solved

How to implement account lockout and password policy for domain admins when they logon to Windows 2008 R2 domain controllers (domain functional level 2003).

Posted on 2016-09-20
6
89 Views
Last Modified: 2016-09-21
Hello experts,

We must implement an account lockout policy for domain admins when they logon to domain controllers computers (Windows 2008R2).
The question is not whether it is a good idea or not, it MUST be implemented.
To make sure the parameters are applied correctly the following test will be executed:

Domain admin logs on to DC and opens RSOP MMC (if you don't know what it is please do not answer the question ;-)
Right click and choose Generate RSOP Data
Select Logging Mode
Select this computer
Select current user
Navigate to Computer Configuration > Windows Settings > Security Settings> Account Policies> Password Policy
Verify the following parameters:
Enforce password history is set to 6 passwords remembered
Maximum password age is 60 days
Minimum password age is 1 day
Minimum password length is 8 characters
Password complexity is enabled

Please note:
The domain admins are in an OU that blocks inheritance.
The domain functional level is 2003.

We tried to change the Default Domain Controllers Policy and also to add a new GPO linked to the OU that blocks inheritance, without success. We did the obvious gpupdate /force and made sure that replication is functional between the different domain controllers.

Thanks in advance for your help.
Best regards.
0
Comment
Question by:blaisefournier
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41807612
Lockout for domain based accounts cannot be configured based on which computers they are logging in to. You can have different lockout requirements for different groups/users if you use a fine grained password policy, but the lockout requirements that apply to the user must apply to all systems on the domain. It is not possible to set different lockout settings for accounts when they log on to a DC as opposed to a regular workstation, at least, not without third party tools, and I don't know of any that would allow you to accomplish this.

You may be able to accomplish your goal with a script that examines the event log for failed logins of admin accounts and disables or locks the account if too many failed login events are logged, but you cannot do what you want with Group Policy in any way.

Also, if you are only setting password and lockout requirements with a GPO, you can only have one password and lockout policy *per domain*. Linking a GPO with password requirements to an OU of user accounts will do absolutely nothing (Password lockout and other requirements are a computer setting, not a user setting). Linking a GPO with password requirements to an OU of computers will only change the password requirements for local accounts on those computers. Doing so on an OU of Domain Controllers will do nothing. GPOs with password requirements will only apply to domain accounts if the GPO is linked directly to the domain.

With your domain functional level at 2003, you are not able to use Fine Grained Password policies either, so you can only have one password policy that has to apply to all users in your domain. There is no way around this without using third party applications. At the 2003 functional level, you have to have an additional domain in your forest to have users that have a different password policy than the rest.
0
 
LVL 3

Expert Comment

by:awed1
ID: 41807639
Is it possible to make an OU for the Servers and apply the lockout policy above the administrator no Inheritance policy?
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41807642
No, it isn't. Only one password policy will apply to domain accounts for each domain in a 2003 functional level domain. Of all the policies linked to the domain, only the highest priority one will apply.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:blaisefournier
ID: 41807644
Thanks very much Mr. Brown.
I guess we'll have to analyze raising the domain functional level, but that's another question.

Best regards
Blaise
0
 
LVL 1

Author Closing Comment

by:blaisefournier
ID: 41807646
Thank you for your time.
0
 
LVL 1

Author Comment

by:blaisefournier
ID: 41808845
Thank you again. So what got me tricked was that I didn't know that RSOP would not show password policy results on any DC except for the one holding the PDC emulator role !
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question