Re: Domain Admin Account locked
From: Xylos (rjver_at_NOSSPAAMwordlonline.fr)
Date: 03/10/04
- Next message: Ricardo M. Urbano - W2K/NT4 MVP: "Re: Domain login and workgroup login"
- Previous message: Ricardo M. Urbano - W2K/NT4 MVP: "Re: NTFS Permissions"
- In reply to: Steven L Umbach: "Re: Domain Admin Account locked"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 10 Mar 2004 22:01:16 +0100
The Administrator account is indeed the Builtin account ! (SID ends with
500)
For the Rights assignement trick, it seems it doesn't work. I think that the
credentials are checked first, and then upon successful check, the rights
are checked
(accept / refuse local logon etc...) So the account is locked even before
the logon rights are checked. (well in fact it was one of the first things i
tried...)
Well i think i will contact Microsoft Support. This is getting really weird.
"Steven L Umbach" <n9rou@nospam-comcast.net> a écrit dans le message de
news:Rhs2c.192102$uV3.793233@attbi_s51...
> Are you sure it is the built in administrator account that is being locked
out and
> not an account renamed administrator?? On a domain controller run the
psgetsid
> utility from SysInternals as in "psgetsid administrator" and the last
three numbers
> after the hyphen must be 500 or it is not the built in administrators
account. You
> can use the user right assignments for deny access to this computer from
the network
> and deny logon locally to prevent lockouts to an account on specific
computers or
> groups of computers that may be the targets of these attacks. Terminal
Services
> requires logon locally. You might also want to see if you can better
configure your
> firewall. For instance try to control access to port 3389 from just
specific
> authorized IP address instead of any address. Another possibility is to
use a VPN
> connection with l2tp for access to Terminal Services because l2tp requires
trusted
> machine certificates to gain access to your network. Just keep in mind
that l2tp will
> not work through most NAT firewalls, though there is an available NAT-T
upgrade that
> will. -- Steve
>
> http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml
>
> "Xylos" <rjver@NOSSPAAMwordlonline.fr> wrote in message
> news:eNkfLF7AEHA.444@TK2MSFTNGP11.phx.gbl...
> > Hi group,
> > I ve already posted a couple of days ago,
> > (now i am crossposting, to make the audience bigger)
> >
> > so here is the issue :
> >
> > My domain admin account is sensitive to lockout.
> > but it should not. by default lockout policy does not apply to admin.
> > the tool "passprop" indicates that "the domain admin account may not be
> > locked out"
> > What 's going on ? is a security update generating this behavior ?
> > The problem is that the admin account may be locked
> > from the outside world to make DOS attacks.
> > (from Terminal Services)
> > One solution of course is renaming the admin account,
> > but i prefer not, or not using admin at all.
> > but the best would be to enable a policy that applies
> > to the TS computer that disable lockouts; unfortunately
> > i was told one day that lockout,kerberos,password policies are domain
wide
> > and enforced at domain level only.
> >
> > But i m sure there is a way to make the admin account not
> > subject to lockout.
> > Well maybe i should call Microsoft Support.
> >
> > Thank you if you have any idea.
> >
> >
>
>
- Next message: Ricardo M. Urbano - W2K/NT4 MVP: "Re: Domain login and workgroup login"
- Previous message: Ricardo M. Urbano - W2K/NT4 MVP: "Re: NTFS Permissions"
- In reply to: Steven L Umbach: "Re: Domain Admin Account locked"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
