How to set to a SINGLE domain account to never lockout?

Discussion in 'Active Directory' started by momo, Oct 30, 2007.

  1. momo

    momo Guest

    Hello,
    How to set to a SINGLE domain account to never lockout?

    I know how set this globally using Group Policy:
    Computer Configuration
    Windows Settings
    Security Settings
    Account Policies
    Account Lockout Policy. And set threshold = 0.

    Thank you.
     
    momo, Oct 30, 2007
    #1
    1. Advertisements

  2. Jorge de Almeida Pinto [MVP - DS], Oct 30, 2007
    #2
    1. Advertisements

  3. momo

    momo Guest

    This is exclusivelly a production domain. This account is a service account
    for a production application. For compliance reasons passwords must be
    changed in every thirty days and we recently changed account password. We
    have people working from several different cities/states and someone is keep
    trying to logon into the domain client using this account with an old
    password hence locking out the account. when the account locked out the
    production application stops.

    Thank you.
     
    momo, Oct 30, 2007
    #3
  4. if the account would never lockout, it could also be misused by someone else
    that WANTS to misuse it. How would YOU know the difference?

    for example, you could also do the following:
    for each service account have TWO
    for example SVC1 and SVC2 and both have same groupmemberships
    App uses SVC1 and SVC2 is disabled.
    Reset the PWD of SVC2 and enable it.
    Within, lets say a week, configure the app to start using SVC2. After a week
    just disable SVC1. All the apps that stop working change to SVC1. To prevent
    the solve by error, document how a service account is used and by what app

    just a suggestion

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP - DS], Oct 30, 2007
    #4
  5. momo

    Joe Kaplan Guest

    This problem is solved by the new Fine Grained Password Policy feature in
    Win2K8 AD, but for now there is only one password policy per domain.

    Sorry.

    Joe K.
     
    Joe Kaplan, Oct 30, 2007
    #5
  6. momo

    Jorge Silva Guest

    Hi
    Documentation and syncronization between process may help to reduce the
    risks.

    --

    ===================================
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
    ===================================
     
    Jorge Silva, Oct 30, 2007
    #6
  7. momo

    DevilsPGD Guest

    In message <#> "Jorge de Almeida
    Pinto [MVP - DS]"
    In short, account lockouts are a fantastic denial of service attack and
    should be used sparingly unless absolutely needed.
     
    DevilsPGD, Oct 31, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.