We must implement an account lockout policy for domain admins when they logon to domain controllers computers (Windows 2008R2).
The question is not whether it is a good idea or not, it MUST be implemented.
To make sure the parameters are applied correctly the following test will be executed:
Domain admin logs on to DC and opens RSOP MMC (if you don't know what it is please do not answer the question ;-)
Right click and choose Generate RSOP Data
Select Logging Mode
Select this computer
Select current user
Navigate to Computer Configuration > Windows Settings > Security Settings> Account Policies> Password Policy
Verify the following parameters:
Enforce password history is set to 6 passwords remembered
Maximum password age is 60 days
Minimum password age is 1 day
Minimum password length is 8 characters
Password complexity is enabled
The domain admins are in an OU that blocks inheritance.
The domain functional level is 2003.
We tried to change the Default Domain Controllers Policy and also to add a new GPO linked to the OU that blocks inheritance, without success. We did the obvious gpupdate /force and made sure that replication is functional between the different domain controllers.
Thanks in advance for your help.