• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 107
  • Last Modified:

How to implement account lockout and password policy for domain admins when they logon to Windows 2008 R2 domain controllers (domain functional level 2003).

Hello experts,

We must implement an account lockout policy for domain admins when they logon to domain controllers computers (Windows 2008R2).
The question is not whether it is a good idea or not, it MUST be implemented.
To make sure the parameters are applied correctly the following test will be executed:

Domain admin logs on to DC and opens RSOP MMC (if you don't know what it is please do not answer the question ;-)
Right click and choose Generate RSOP Data
Select Logging Mode
Select this computer
Select current user
Navigate to Computer Configuration > Windows Settings > Security Settings> Account Policies> Password Policy
Verify the following parameters:
Enforce password history is set to 6 passwords remembered
Maximum password age is 60 days
Minimum password age is 1 day
Minimum password length is 8 characters
Password complexity is enabled

Please note:
The domain admins are in an OU that blocks inheritance.
The domain functional level is 2003.

We tried to change the Default Domain Controllers Policy and also to add a new GPO linked to the OU that blocks inheritance, without success. We did the obvious gpupdate /force and made sure that replication is functional between the different domain controllers.

Thanks in advance for your help.
Best regards.
0
blaisefournier
Asked:
blaisefournier
  • 3
  • 2
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
Lockout for domain based accounts cannot be configured based on which computers they are logging in to. You can have different lockout requirements for different groups/users if you use a fine grained password policy, but the lockout requirements that apply to the user must apply to all systems on the domain. It is not possible to set different lockout settings for accounts when they log on to a DC as opposed to a regular workstation, at least, not without third party tools, and I don't know of any that would allow you to accomplish this.

You may be able to accomplish your goal with a script that examines the event log for failed logins of admin accounts and disables or locks the account if too many failed login events are logged, but you cannot do what you want with Group Policy in any way.

Also, if you are only setting password and lockout requirements with a GPO, you can only have one password and lockout policy *per domain*. Linking a GPO with password requirements to an OU of user accounts will do absolutely nothing (Password lockout and other requirements are a computer setting, not a user setting). Linking a GPO with password requirements to an OU of computers will only change the password requirements for local accounts on those computers. Doing so on an OU of Domain Controllers will do nothing. GPOs with password requirements will only apply to domain accounts if the GPO is linked directly to the domain.

With your domain functional level at 2003, you are not able to use Fine Grained Password policies either, so you can only have one password policy that has to apply to all users in your domain. There is no way around this without using third party applications. At the 2003 functional level, you have to have an additional domain in your forest to have users that have a different password policy than the rest.
0
 
awed1Commented:
Is it possible to make an OU for the Servers and apply the lockout policy above the administrator no Inheritance policy?
0
 
Adam BrownSr Solutions ArchitectCommented:
No, it isn't. Only one password policy will apply to domain accounts for each domain in a 2003 functional level domain. Of all the policies linked to the domain, only the highest priority one will apply.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
blaisefournierAuthor Commented:
Thanks very much Mr. Brown.
I guess we'll have to analyze raising the domain functional level, but that's another question.

Best regards
Blaise
0
 
blaisefournierAuthor Commented:
Thank you for your time.
0
 
blaisefournierAuthor Commented:
Thank you again. So what got me tricked was that I didn't know that RSOP would not show password policy results on any DC except for the one holding the PDC emulator role !
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now