Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Account Lockout Policy

from [Alexander Suhovey] Network Security [Permanent Link]
Subject: RE: Account Lockout Policy
Date: Sun, 23 Oct 2005 00:05:04 +0400 
-----Original Message-----
From: Rasmus Rшnlev [mailto:rr.it@cbs.dk] 
Sent: Friday, October 21, 2005 1:37 AM
To: focus-ms@securityfocus.com
Subject: Re: Account Lockout Policy

Hi,


[..]

It seems some of the responding 
people are knee-jerk-reacting to "you can only put into 
effect account policy from the domain level". This is correct 
in so far that "Domain Policy" will be applied towards Domain 
Controllers, sitting in the Domain Controllers OU.


Not quite. Having DCs in GPO scope is not how it works for 
domain account policies. If you greate a GPO linked to Domain 
Controllers OU, DCs will ignore account policies configured 
in this GPO. Domain account policies must be configured 
only at the root level of domain. 
Here's a couple of quotes from [2]:
"Password policies, Kerberos, and some security options are 
only merged from GPOs that are linked at the root level on 
the domain. This is done to keep those settings synchronized 
across all domain controllers in the domain."

"For domain accounts, only one account policy is permitted per 
domain. This account policy must be specified in the Default 
Domain Policy GPO, or in a new GPO that is linked to the root 
of the domain and has precedence over the Default Domain 
Policy GPO. [...] A domain controller always gets the account 
policy from a GPO linked to the domain, by default from the 
Default Domain Policy GPO."


1. "Where does your client's security policy actually come from?"
http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1108125,00.html

2. "How Security Settings Extension Works"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechR
ef/824b4758-9430-4633-8d8f-3dad0f2bf839.mspx

--
Al


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: security policy 'not specified' option, Thor (Hammer of God)
Next by Date:  RE: Account Lockout Policy, Mike MacNeill
Previous by Thread:  Re: Account Lockout Policy, Rasmus Rønlev
Next by Thread:  RE: Account Lockout Policy, Laura A. Robinson
Indexes:  [Date] [Thread] [Top] [All Lists]