Create a new OU and put your admin accounts in it then remove the link
for the Domain policy from the root. Then create a new GPO with the
desired account settings and apply it to the OU with your admin
accounts.
Ricky E. Kerby
Network Engineer/Data Security Officer
First Bank and Trust
Office: (504)-584-5943
Mobile: (504)-220-1631
Fax: (504)-620-1401
rkerby@fbtonline.com
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Charles Hardin
Sent: Monday, December 17, 2007 10:35 AM
To: WALI
Cc: security-basics@securityfocus.com
Subject: Re: Policy enforcement- Admin accounts
Sadly with AD you can only have one account security policy per domain.
You would need to make a second domain in your forest and move your
admin accounts there. Also remember the actual Administrator account
CANNOT be locked out.
On Dec 15, 2007 11:32 AM, WALI <hkhasgiwale@gmail.com> wrote:
In an active directory environment (windows 2003), I want to ensure
lockout for administrator accounts also, in order to protect against
attempts to brute force account password. The flipside is, we might
have a DoS situation but I can live with it. Is there a tool I can
deploy to ensure that admin account also locks out after certain no.
of attemps?
Also, ONLY for admin accounts, I want to enforce certain settings
like:
Password should contain atleast 15 characters, should not contain a
dictionary word etc.
My normal password policy for AD user accounts, set at the domain
level is a minimum of 8 chars but I want to deploy this special policy
of 15 chars minimum for admin accounts.
How should I go about this?
