SAM2009
asked on
How can I set account never locked out for just some users?
Hi,
We had an issue because of affected pc and all AD users was locked. How can I set account never locked out for just some users like admin account?
Thanks
We had an issue because of affected pc and all AD users was locked. How can I set account never locked out for just some users like admin account?
Thanks
Hi there @Ahmed Abdelbaset, if your comment is the last one you can just use the Edit button and change your comment :)
About the question:
here's documentation directly from Microsoft:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy
I would add that you need to find out what is the reason to get all the accounts locked out, thinking in a malware or virus attack that did a dictionary attack domain wide and blocked everybody and everyone's pc, so I think that the solution would be to ensure the security instead of open the little security that is left on the site...
About the question:
here's documentation directly from Microsoft:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy
I would add that you need to find out what is the reason to get all the accounts locked out, thinking in a malware or virus attack that did a dictionary attack domain wide and blocked everybody and everyone's pc, so I think that the solution would be to ensure the security instead of open the little security that is left on the site...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I mean that you apply policy on OU have computers that users logon to with using GPO Security filtering to limit that policy applying for specific user or users group.
Is that clear ?
Is that clear ?
@Ahmed, your solution would only work for local accounts. Uniqie domain account policies require fine grained password policies since all domain accounts live on the domain controllers.
Yes, Fine grained password would be ideal if you lockout password needed for different set of users.
However it's not recommend from security presective to set account lockout policy threshold value to 0.
However it's not recommend from security presective to set account lockout policy threshold value to 0.
However it's not recommend from security presective to set account lockout policy threshold value to 0.Not really. Microsoft best practice is 0 if you have a system to monitor bad logons and 50 otherwise.
You cannot protect against a DDoS and a brute-force simultaneously.
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
Fine grain password policy is the only option
ASKER
Thanks!
Set the account threshold to 0 so the account will never be locked
You can create new GPO and apply it on specific users.
I recommend you carefully to read this article
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-threshold#security-considerations