Why are your service accounts getting locked out in the first place? I'd
look at fixing that rather than at trying to exclude them from your lockout
policies. Just my pennies.
Laura
-----Original Message-----
From: Mike MacNeill [mailto:mmacneil@crosscountry.com]
Sent: Friday, October 21, 2005 2:29 PM
To: focus-ms@securityfocus.com
Subject: RE: Account Lockout Policy
IMHO I think MS screwed the implementation of these policies
in the first place. We have a global policy where accounts
are locked after 5 failed attempts. The issue with this is
there are accounts that I would love to exclude from this
policy. Accounts such as the ones used by our Voicemail
System, Mobile Messaging Services and other applications have
been locked out and as a result, services have been impacted.
The way MS has the policies, they are applied at a machine
level so I can specify machines that don't have this policy
applied to but this defeats the purpose. Has anyone figured
a way around this at all?
Mike
RAMI KHANFER wrote:
You can not configure account policy on OU; the only place where you
can configure account policy is at the domain level.
Best Regards
Rami Khanfer
MobileCom - IT Direction/ Infrastructure Department
Mobile + 962 777 801539
Email Rami.Khanfer@mobilecom.jo
-----Original Message-----
From: Derick Anderson [mailto:danderson@vikus.com]
Sent: Thursday/October/2005 05:59 PM
To: Shabbar Arsiwala; focus-ms@securityfocus.com
Subject: RE: Account Lockout Policy
-----Original Message-----
From: Shabbar Arsiwala [mailto:sarsiwala@obleness.org]
Sent: Thursday, October 20, 2005 9:07 AM
To: focus-ms@securityfocus.com
Subject: Account Lockout Policy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We have an account lockout policy setup for users on our
domain Win
2K3 / Active Directory environment. 4 invalid attempts the account
locks out / 30 mins the account is released. We would like
to change
this policy for one the machines on our domain. This machine uses a
local administrator account to log in.
Is this possible ???
Thanks,
Shabbar
It is possible to change the *local* machine account lockout
policy for
a specific machine, but not the *domain* lockout policy. To
do this you
need to put your *domain* password policy in the Domain
Controllers OU,
create a separate OU for this one machine, make a new policy
with the
desired lockout settings, and link it to the single
machine's OU. This
will only work for *local* accounts (such as MACHINE\Administrator),
not
*domain* accounts (DOMAIN\Administrator).
Derick Anderson
-------------------------------------------------------------
----------
-
---
-------------------------------------------------------------
----------
-
---
-------------------------------------------------------------
----------
----
-------------------------------------------------------------
----------
----
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
