Re: Domain Admin Account locked
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/06/04
- Previous message: Xylos: "Domain Admin Account locked"
- In reply to: Xylos: "Domain Admin Account locked"
- Next in thread: Xylos: "Re: Domain Admin Account locked"
- Reply: Xylos: "Re: Domain Admin Account locked"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 06 Mar 2004 22:30:09 GMT
Are you sure it is the built in administrator account that is being locked out and
not an account renamed administrator?? On a domain controller run the psgetsid
utility from SysInternals as in "psgetsid administrator" and the last three numbers
after the hyphen must be 500 or it is not the built in administrators account. You
can use the user right assignments for deny access to this computer from the network
and deny logon locally to prevent lockouts to an account on specific computers or
groups of computers that may be the targets of these attacks. Terminal Services
requires logon locally. You might also want to see if you can better configure your
firewall. For instance try to control access to port 3389 from just specific
authorized IP address instead of any address. Another possibility is to use a VPN
connection with l2tp for access to Terminal Services because l2tp requires trusted
machine certificates to gain access to your network. Just keep in mind that l2tp will
not work through most NAT firewalls, though there is an available NAT-T upgrade that
will. -- Steve
http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml
"Xylos" <rjver@NOSSPAAMwordlonline.fr> wrote in message
news:eNkfLF7AEHA.444@TK2MSFTNGP11.phx.gbl...
> Hi group,
> I ve already posted a couple of days ago,
> (now i am crossposting, to make the audience bigger)
>
> so here is the issue :
>
> My domain admin account is sensitive to lockout.
> but it should not. by default lockout policy does not apply to admin.
> the tool "passprop" indicates that "the domain admin account may not be
> locked out"
> What 's going on ? is a security update generating this behavior ?
> The problem is that the admin account may be locked
> from the outside world to make DOS attacks.
> (from Terminal Services)
> One solution of course is renaming the admin account,
> but i prefer not, or not using admin at all.
> but the best would be to enable a policy that applies
> to the TS computer that disable lockouts; unfortunately
> i was told one day that lockout,kerberos,password policies are domain wide
> and enforced at domain level only.
>
> But i m sure there is a way to make the admin account not
> subject to lockout.
> Well maybe i should call Microsoft Support.
>
> Thank you if you have any idea.
>
>
- Previous message: Xylos: "Domain Admin Account locked"
- In reply to: Xylos: "Domain Admin Account locked"
- Next in thread: Xylos: "Re: Domain Admin Account locked"
- Reply: Xylos: "Re: Domain Admin Account locked"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
