Re: Domain Admin account and lockout Policy
- From: Meinolf Weber <meiweb(nospam)@gmx.de>
- Date: Wed, 16 Apr 2008 11:54:28 +0000 (UTC)
Hello vdz,
The only way is, use a third party tool like:
http://esj.com/product_news/article.aspx?EditorialsID=1111
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi Bruce
Thanks a lot for your info. That really makes sense. So there is no
way to achieve this goal unless upgrade wins 2008 server.
Regards
"Bruce Sanderson" wrote:
The Account Policy in the Default Domain Policy is applied to all
domain user accounts by the Domain Controllers. There is no way to
have different account policies for different domain user accounts,
since the Domain Controllers can apply only one set of account
policies.
You can apply different accout policies to domain member computers,
but those will only have an affect on local user accounts on those
computers - domain user accounts will not be affected.
This is explained in the (Windows Server 2003) GPMC Help, Help
Topics, Group Policy Management, Concepts, Group Policy Object Editor
Extensions, Security Settings; click on Security Settings
Descriptions, Account Policies, or see
http://technet2.microsoft.com/windowsserver/en/library/ea8d5585-1b64-
44d7-8077-b7721247eca31033.mspx?mfr=true.
Here's a quote:
"For domain accounts, the account policy must be defined in the
Default Domain Policy Group Policy object (GPO) or in a new GPO that
is linked to the root of the domain and given precedence over the
Default Domain Policy GPO, which is enforced by the domain
controllers that make up the domain. If more than one GPO containing
account policy settings is linked at the domain level, the domain's
account policy consists of the cumulative policy settings from all
the domain-linked GPOs.
A domain controller always obtains the account policy from a GPO
linked to the domain, which by default is the Default Domain Policy
GPO. This behavior occurs even if a different account policy is
applied to the organizational unit (OU) that contains the domain
controller. By default, workstations and servers joined to a domain
(such as member computers) also receive the same account policy for
their local accounts. However, local account policies for member
computers can be differentiated from the domain account policy by
defining an account policy for the OU that contains the member
computers."
-------------------------------------
In domains that are at the Windows Server 2008 functional level
(Domain Controllers are Windows Server 2008), it is possible to have
different account policies for different user accounts- that's an
enhancement implemented in Windows Server 2008 Active Directory that
is NOT available in Windows Server 2003 (RTM or R2) - see
http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-5
4aa-4cef-9164-139e8bcc44751033.mspx?mfr=true.
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong
question.
"vdz" <vdz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:45AEE07A-1D0C-49CF-9295-16ACDB800538@xxxxxxxxxxxxxxxx
Hi all
Currently we have this policy in place at domain level. For a
special
reason, I need to exclude Domain Admin account from Lockout policy.
What I
did was that I tick "deny" option from Default GPO - security tab.
However
Domain Admin still gets locked out.
What have I missed here? it shouldn't be inhereted once I deny.
Any help would be much appreciated
.
- References:
- Prev by Date: Re: Domain Admin account and lockout Policy
- Next by Date: Re: Domain Admin account and lockout Policy
- Previous by thread: Re: Domain Admin account and lockout Policy
- Next by thread: Re: Domain Admin account and lockout Policy
- Index(es):
Relevant Pages
|
