Solved

How to implement account lockout and password policy for domain admins when they logon to Windows 2008 R2 domain controllers (domain functional level 2003).

Posted on 2016-09-20
6
50 Views
Last Modified: 2016-09-21
Hello experts,

We must implement an account lockout policy for domain admins when they logon to domain controllers computers (Windows 2008R2).
The question is not whether it is a good idea or not, it MUST be implemented.
To make sure the parameters are applied correctly the following test will be executed:

Domain admin logs on to DC and opens RSOP MMC (if you don't know what it is please do not answer the question ;-)
Right click and choose Generate RSOP Data
Select Logging Mode
Select this computer
Select current user
Navigate to Computer Configuration > Windows Settings > Security Settings> Account Policies> Password Policy
Verify the following parameters:
Enforce password history is set to 6 passwords remembered
Maximum password age is 60 days
Minimum password age is 1 day
Minimum password length is 8 characters
Password complexity is enabled

Please note:
The domain admins are in an OU that blocks inheritance.
The domain functional level is 2003.

We tried to change the Default Domain Controllers Policy and also to add a new GPO linked to the OU that blocks inheritance, without success. We did the obvious gpupdate /force and made sure that replication is functional between the different domain controllers.

Thanks in advance for your help.
Best regards.
0
Comment
Question by:blaisefournier
  • 3
  • 2
6 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41807612
Lockout for domain based accounts cannot be configured based on which computers they are logging in to. You can have different lockout requirements for different groups/users if you use a fine grained password policy, but the lockout requirements that apply to the user must apply to all systems on the domain. It is not possible to set different lockout settings for accounts when they log on to a DC as opposed to a regular workstation, at least, not without third party tools, and I don't know of any that would allow you to accomplish this.

You may be able to accomplish your goal with a script that examines the event log for failed logins of admin accounts and disables or locks the account if too many failed login events are logged, but you cannot do what you want with Group Policy in any way.

Also, if you are only setting password and lockout requirements with a GPO, you can only have one password and lockout policy *per domain*. Linking a GPO with password requirements to an OU of user accounts will do absolutely nothing (Password lockout and other requirements are a computer setting, not a user setting). Linking a GPO with password requirements to an OU of computers will only change the password requirements for local accounts on those computers. Doing so on an OU of Domain Controllers will do nothing. GPOs with password requirements will only apply to domain accounts if the GPO is linked directly to the domain.

With your domain functional level at 2003, you are not able to use Fine Grained Password policies either, so you can only have one password policy that has to apply to all users in your domain. There is no way around this without using third party applications. At the 2003 functional level, you have to have an additional domain in your forest to have users that have a different password policy than the rest.
0
 
LVL 3

Expert Comment

by:awed1
ID: 41807639
Is it possible to make an OU for the Servers and apply the lockout policy above the administrator no Inheritance policy?
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41807642
No, it isn't. Only one password policy will apply to domain accounts for each domain in a 2003 functional level domain. Of all the policies linked to the domain, only the highest priority one will apply.
0
 
LVL 1

Author Comment

by:blaisefournier
ID: 41807644
Thanks very much Mr. Brown.
I guess we'll have to analyze raising the domain functional level, but that's another question.

Best regards
Blaise
0
 
LVL 1

Author Closing Comment

by:blaisefournier
ID: 41807646
Thank you for your time.
0
 
LVL 1

Author Comment

by:blaisefournier
ID: 41808845
Thank you again. So what got me tricked was that I didn't know that RSOP would not show password policy results on any DC except for the one holding the PDC emulator role !
0

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now