Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Account lockout without locking out the domain 2

Status
Not open for further replies.

bdoub1eu

IS-IT--Management
Dec 10, 2003
440
US
I need some clarification about this...

We currently have Two user OU's and One computer OU.

Users1
Users2
Computers

I applied an account lockout to the computer's OU since it is a computer based policy and it works. Problem is that since it is a computer based policy, I can't exclude the domain admins from getting their accounts logged out.

First question...Should I have applied the "default domain policy" to the entire domain for account lockout or is it okay to apply it to just the computers OU

Second question...How do I exclude the domain admin accounts from getting locked out too if it is a computer based policy...

Thanks!
 
Sorry, trying to understand this...

Here's what I did:

I created a new Group Policy at the Domain Level and called it Domain Security Policy. In that policy I changed the account lockout to 5 attempts and that the admin would have to reset it. Authenticated users is checked and it appears to be working since I can use a test user and lock it out after 5 failed attempts.

I also created another OU called domain admins and placed the test user and computer in that OU and under the Group Policy tab, I chose to block inheritance.

When I run gpudate /force on my machine, I see that I am not getting the Domain Policy that I created above at the domain level, yet I can still lock out that account. Under gpresult, I see that my userid and computer isn't getting any group policy....

I guess this is why I was wondering if you could not block inheritance from the domain level gp since it doesn't seem to be allowing me to exclude this user from getting the account locked out. I'm just trying to figure out a way to not have the domain admins locked out...In theory, I should be able to place them in a seperate OU and block inheritance and not get the account lockout policy from the domain level gp, right?

Thanks guys!
 
Somebody mentioned above to NOT MESS WITH THE DEFAULT DOMAIN POLICY! But if I am trying to set security like passwords/account lockout, don't I have to use this default policy that was already created?
 
Wow, this seems to be harder to explain that I have ever seen before.

I'm not looking ot back peddle on you here but if you refer back to my original post I said

The only settings you will want to put in there will be password related and they will apply to everyone.

So if you are setting the account locout then that gets configured in the Default Domain Policy. Again, just to be clear, these are the only settings that you SHOULD be messing with in that policy. Don't add IE configs or restrict control panel, nothing but the basic security stuff.

The password complexity settings, password length, password history, lockout time, number of failed attempts, etc are all configured in the Default Domain Policy and are totally ignored in any other GPO.

Koonan, for the sake of clarity, can I ask you to refrain from using the term "local users" since that really refers to IDs created within the local SAM database on a member server or workstation. I am following the intent of what you are saying but I think bdoub1eu is confused enough. ;-)

I hope you find this post helpful.

Regards,

Mark
 
There is a general practice not to modify any of the Default GPOs. The reason for this is that GPOs can become corrupt. These GPO can be fixed using dcgpofix.exe, but it will reset the values in these GPOs back to their original state, losing any setting you may have made.


I'm glad you did some testing on your Security Policy question. The reason it didn't work is because the Domain Security Policy is also applied to your DCs. For Domain Users, it's the DCs that enforce these settings. So it doesn't matter if you Block Inheritance on sub-OUs.
 
Local users is what I'm talking about. I'm sorry you don't understand.
 
I do understand the concept. Wording was giving me some trouble.

Just can't figure out why it won't work for me. All I wanted to do was create an account lockout for all the machines but somehow keep from locking out our domain admins because if an accout lockout is in place, some nifty user could sign in as us and lock our accounts, right?

Okay, so you're saying the domain security cannot be blocked by inheritance because it is being applied to the DC's? Above, Koonan states:

2) Will blocking the Default Domain Policy on a OU block the Domain Security Policy, No. Because the Domain Security Policy is applied to the DCs not to Users or their Workstation.

So is this where the article about blocking inheritance on the DC's comes into play? Is that the only way I can keep the domain admins accounts from being locked out?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top