Exclude Admin account from Account Locked out policy

Discussion in 'Active Directory' started by RayRogers, Dec 11, 2008.

  1. RayRogers

    RayRogers Guest

    Hello,

    I have windows 2003 domain. I have domain policies applied on domain level,
    such as lockout policy. There are a few accounts have domain admin right. How
    do I exclude these admin accounts from Account Locked out policy or other
    domain policy. Thanks for the help.
     
    RayRogers, Dec 11, 2008
    #1
    1. Advertisements

  2. RayRogers

    Jorge Silva Guest

    Hi
    Create a new policy (do not use the domain policy for this).
    In the GPO properties select deny read and apply GPO to members of that
    group.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services

    Please no e-mails, any questions should be posted in the NewsGroup
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Jorge Silva, Dec 11, 2008
    #2
    1. Advertisements

  3. RayRogers

    RayRogers Guest

    Hi, Jorge: Can you be specific on how to apply that Deny option? Admin is at
    default user group currently. Can we use block policy inherritance option?
    Thanks!
     
    RayRogers, Dec 11, 2008
    #3
  4. the current domain policy settings are configured in the computer part of it
    and therefore these apply to DCs when these "evaluate accounts" to change
    the password or to lockout. You can have ONLY ONE password and account
    lockout policy in ANY AD Domain! Windows Server 2008 introduces multiple
    password and account lockout policies through PSOs when the DFL = at least
    w2k8

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP - DS], Dec 12, 2008
    #4
  5. Jorge de Almeida Pinto [MVP - DS], Dec 12, 2008
    #5
  6. RayRogers

    Paul Bergson Guest

    The domain policy is the only place you can apply this value in order to be
    applied. If you start messing around with this you are just asking for
    trouble. I would expect your domain admins to have a higher level of
    security requirements not lower, you shouldn't work to lower their level of
    security. This is a really bad idea and one I would highly discourage it.
    The administrator account itself will never lockout.
     
    Paul Bergson, Dec 12, 2008
    #6
  7. RayRogers

    RayRogers Guest

    Hi Paul:

    It seem default admin account never locked out. Will the admin accounts we
    created be locked out? It seems this happens.

    Thanks.
     
    RayRogers, Dec 12, 2008
    #7
  8. Jorge de Almeida Pinto [MVP - DS], Dec 13, 2008
    #8
  9. Jorge de Almeida Pinto [MVP - DS], Dec 13, 2008
    #9
  10. RayRogers

    Jorge Silva Guest

    I forgot that you're talking about password policy. In fact (as Jorge said)
    you can only have 1 password policy per domain if you're not using 2008, the
    Administrator account in fact locks, but the system unlocks that account
    automatically...

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services

    Please no e-mails, any questions should be posted in the NewsGroup
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Jorge Silva, Dec 14, 2008
    #10
  11. RayRogers

    Paul Bergson Guest

    Curious tid bit of info. Didn't know that. End effect is, it doesn't
    require unlocking.


    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson, Dec 15, 2008
    #11
  12. RayRogers

    Paul Bergson Guest

    The administrators account will not lockout (Unless you read Jorge's
    article, but net effect it doesn't really block you from logging on) but
    other domain admin accounts will lock out.
     
    Paul Bergson, Dec 15, 2008
    #12
  13. RayRogers

    RayRogers Guest

    So Non-default administrators account can be locked out, right?
    And the following method will not work:
    Create an OU and just set it to block policy inheritance. Make sure the
    Domain level policy is not set to No override. Using this the new OU doesn't
    have any policy applied.

    Thanks for clarification.
     
    RayRogers, Dec 15, 2008
    #13
  14. Jorge de Almeida Pinto [MVP - DS], Dec 15, 2008
    #14
  15. password and account lockout policies are in the COMPUTER part of a GPO, so
    that means that ONLY computers can process those settings. With computers
    that means DC/Servers/Clients
    When applied by servers/clients then it will affect the local accounts on
    those servers or clients
    When applied by DCs then it will affect the domain accounts in the AD domain

    so when configuring a GPO with the "password and account lockout policies"
    settings and linking that GPO to an OU AND if that OU contains computers,
    the computer will process the settings and it will affect the accounts on
    those computers


    the password and account lockout policies settings are processed by the PDC
    FSMO which will write the data into attributes on the domain partition. that
    replicates to other DCs and those DCs use that information to enforce those
    settings on domain user accounts

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------

     
    Jorge de Almeida Pinto [MVP - DS], Dec 16, 2008
    #15
  16. also see:
    http://blogs.dirteam.com/blogs/jorg...rver-2008-fine-grained-password-policies.aspx

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------

     
    Jorge de Almeida Pinto [MVP - DS], Dec 16, 2008
    #16
  17. RayRogers

    Ray Guest

    Thanks!

     
    Ray, Dec 17, 2008
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.