How to exclude ADAM user from AD domain lockout policy??

Discussion in 'Active Directory' started by Jims, Feb 10, 2006.

  1. Jims

    Jims Guest

    Is there any way to exclude individual ADAM user class accounts from the AD
    domain account lockout policy? Can this be accomplished on a per user basis
    or would we need to exclude the ADAM server from the Active Directory domain
    group policy?
    Thanks,
    Jim
     
    Jims, Feb 10, 2006
    #1
    1. Advertisements

  2. Jims

    Lee Flight Guest

    Hi

    AFAIK the only component of password policy that can be suspended per
    user is account expiry (msDS-UserDontExpirePassword, very useful
    if you have long-lived service accounts for which you can set complex
    passwords).

    Beyond that you can exclude the ADAM instance from all password policy
    (ADAMDisablePasswordPolicies in the "configurable setting" submenu in
    dsmgmt).

    Another possibility is that you set the password policy in the local
    security
    policy of the ADAM instance server to the values you want but those will
    only be used if the server is not getting domain policy.

    Lee Flight
     
    Lee Flight, Feb 10, 2006
    #2
    1. Advertisements

  3. Jims

    Jims Guest

    For the time being we have added our ADAM servers to a new OU and created a
    GPO with a lockout setting of 999 attempts in 1 minute. The GPO is applied
    after the domain gpo so this resolves our highest priority issue of critical
    service accounts getting locked out do to admin error. Unfortunately it
    means all user class accounts effects cannot be locked out in the case of
    malicious login attempts. We're still looking for a better solution and
    will post any new findings. Lee - I will take a look at the dsmgmt options
    as well - thanks.
    Jim
     
    Jims, Feb 10, 2006
    #3
  4. Jims

    Lee Flight Guest

    Hi

    I had never tried setting the account lockout at the OU as that applies
    only to local accounts on the computer in the OU right? So you are
    saying that means ADAM accounts in this case...I'll give it a try.

    FWIW I have been leaning toward the idea that a dedicated
    (user) objectclass would be useful for certain roles e.g. native ADAM
    administrators and some service accounts.

    Thanks,
    Lee Flight
     
    Lee Flight, Feb 11, 2006
    #4
  5. Jims

    Lee Flight Guest

    Thinking about this a little further if the lockout policy at
    the OU level does the trick I would not be too worried
    about the lack of lockout for other accounts as deliberately
    locking out the accounts as a DOS attack is probably just as
    bad and if you are logging login failures in your security
    policy these attacks should be detectable. Having a good
    password complexity/history regime would mitigate my
    concern over lack of lockout further.

    Lee Flight
     
    Lee Flight, Feb 11, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.