Solved

How to implement account lockout and password policy for domain admins when they logon to Windows 2008 R2 domain controllers (domain functional level 2003).

Posted on 2016-09-20
6
58 Views
Last Modified: 2016-09-21
Hello experts,

We must implement an account lockout policy for domain admins when they logon to domain controllers computers (Windows 2008R2).
The question is not whether it is a good idea or not, it MUST be implemented.
To make sure the parameters are applied correctly the following test will be executed:

Domain admin logs on to DC and opens RSOP MMC (if you don't know what it is please do not answer the question ;-)
Right click and choose Generate RSOP Data
Select Logging Mode
Select this computer
Select current user
Navigate to Computer Configuration > Windows Settings > Security Settings> Account Policies> Password Policy
Verify the following parameters:
Enforce password history is set to 6 passwords remembered
Maximum password age is 60 days
Minimum password age is 1 day
Minimum password length is 8 characters
Password complexity is enabled

Please note:
The domain admins are in an OU that blocks inheritance.
The domain functional level is 2003.

We tried to change the Default Domain Controllers Policy and also to add a new GPO linked to the OU that blocks inheritance, without success. We did the obvious gpupdate /force and made sure that replication is functional between the different domain controllers.

Thanks in advance for your help.
Best regards.
0
Comment
Question by:blaisefournier
  • 3
  • 2
6 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41807612
Lockout for domain based accounts cannot be configured based on which computers they are logging in to. You can have different lockout requirements for different groups/users if you use a fine grained password policy, but the lockout requirements that apply to the user must apply to all systems on the domain. It is not possible to set different lockout settings for accounts when they log on to a DC as opposed to a regular workstation, at least, not without third party tools, and I don't know of any that would allow you to accomplish this.

You may be able to accomplish your goal with a script that examines the event log for failed logins of admin accounts and disables or locks the account if too many failed login events are logged, but you cannot do what you want with Group Policy in any way.

Also, if you are only setting password and lockout requirements with a GPO, you can only have one password and lockout policy *per domain*. Linking a GPO with password requirements to an OU of user accounts will do absolutely nothing (Password lockout and other requirements are a computer setting, not a user setting). Linking a GPO with password requirements to an OU of computers will only change the password requirements for local accounts on those computers. Doing so on an OU of Domain Controllers will do nothing. GPOs with password requirements will only apply to domain accounts if the GPO is linked directly to the domain.

With your domain functional level at 2003, you are not able to use Fine Grained Password policies either, so you can only have one password policy that has to apply to all users in your domain. There is no way around this without using third party applications. At the 2003 functional level, you have to have an additional domain in your forest to have users that have a different password policy than the rest.
0
 
LVL 3

Expert Comment

by:awed1
ID: 41807639
Is it possible to make an OU for the Servers and apply the lockout policy above the administrator no Inheritance policy?
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41807642
No, it isn't. Only one password policy will apply to domain accounts for each domain in a 2003 functional level domain. Of all the policies linked to the domain, only the highest priority one will apply.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 1

Author Comment

by:blaisefournier
ID: 41807644
Thanks very much Mr. Brown.
I guess we'll have to analyze raising the domain functional level, but that's another question.

Best regards
Blaise
0
 
LVL 1

Author Closing Comment

by:blaisefournier
ID: 41807646
Thank you for your time.
0
 
LVL 1

Author Comment

by:blaisefournier
ID: 41808845
Thank you again. So what got me tricked was that I didn't know that RSOP would not show password policy results on any DC except for the one holding the PDC emulator role !
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now