Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Account Lockout Policy

from [Laura A. Robinson] Network Security [Permanent Link]
Subject: RE: Account Lockout Policy
Date: Tue, 25 Oct 2005 13:16:43 -0400 
Rasmus is mostly correct; he didn't say that the policy would be *linked* at
the Domain Controllers OU, just that the domain password policy would apply
to the domain controllers.  There is one fly in the ointment, however- DCs
that (for reasons unknown and probably nonsensical) were moved outside of
the Domain Controllers OU will still use the password policy that is defined
at the domain level. 

Domain controllers have no SAM. They replicate the Active Directory
database. The only place where one can apply password policies that will
affect the AD database is at the domain (AD database) level. Password
policies applied at ANY OU will affect the [LOCAL] SAM for any machines
located in that OU. Therefore, if one were to do something even more
nonsensical such as place member servers into the Domain Controllers OU,
then were to link a password policy to the Domain Controllers OU, the member
servers in that OU would apply that policy to their local SAM. Because,
again, DCs have no local SAM (except for the one that is initialized only in
Directory Services Restore Mode, and GP is not applied when booted into
DSRM, anyway), DCs will still process and apply any policies linked to the
OU(s) in which the DCs are located. However, the account policy section of
such policies would be ignored because there is NO SAM to which they would
apply. 

I would encourage anybody for whom this is confusing to try out the
scenarios I've outlined in a test lab. Move DCs around and you'll see that
they still utilize the domain-level account settings, because, again, the
DOMAIN is where their accounts are housed, regardless of the location of the
domain controller object in AD. Then stick a member server into the Domain
Controllers OU and link a policy defining account settings to that OU. The
DCs will not apply it because they have no SAM "in" that OU, but the member
servers will, because they now DO have a SAM "in" that OU.

Laura


-----Original Message-----
From: Alexander Suhovey [mailto:asuhovey@mtu-net.ru] 
Sent: Saturday, October 22, 2005 4:05 PM
To: 'Rasmus Rшnlev'; focus-ms@securityfocus.com
Subject: RE: Account Lockout Policy


-----Original Message-----
From: Rasmus Rшnlev [mailto:rr.it@cbs.dk]
Sent: Friday, October 21, 2005 1:37 AM
To: focus-ms@securityfocus.com
Subject: Re: Account Lockout Policy

Hi,


[..]

It seems some of the responding
people are knee-jerk-reacting to "you can only put into 

effect account 

policy from the domain level". This is correct in so far 

that "Domain 

Policy" will be applied towards Domain Controllers, sitting in the 
Domain Controllers OU.


Not quite. Having DCs in GPO scope is not how it works for 
domain account policies. If you greate a GPO linked to Domain 
Controllers OU, DCs will ignore account policies configured 
in this GPO. Domain account policies must be configured only 
at the root level of domain. 
Here's a couple of quotes from [2]:
"Password policies, Kerberos, and some security options are 
only merged from GPOs that are linked at the root level on 
the domain. This is done to keep those settings synchronized 
across all domain controllers in the domain."

"For domain accounts, only one account policy is permitted 
per domain. This account policy must be specified in the 
Default Domain Policy GPO, or in a new GPO that is linked to 
the root of the domain and has precedence over the Default 
Domain Policy GPO. [...] A domain controller always gets the 
account policy from a GPO linked to the domain, by default 
from the Default Domain Policy GPO."


1. "Where does your client's security policy actually come from?"
http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci11081
25,00.html

2. "How Security Settings Extension Works"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003
/library/TechR
ef/824b4758-9430-4633-8d8f-3dad0f2bf839.mspx

--
Al


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Change Password, Jeff Pancrazio
Next by Date:  RE: Change Password, Beauford, Jason
Previous by Thread:  RE: Account Lockout Policy, Alexander Suhovey
Next by Thread:  RE: Account Lockout Policy, Mike MacNeill
Indexes:  [Date] [Thread] [Top] [All Lists]