Re: Limit number of login attemps on Windows server 2003 - where to set this up?
From: David Jensen (djnews1_at_xxhealthcare.com)
Date: 12/14/04
- Next message: derek: "WINS issue"
- Previous message: anoni: "restore dc account"
- In reply to: Stuart Mackie [MCP, MSP]: "Re: Limit number of login attemps on Windows server 2003 - where to set this up?"
- Next in thread: Stuart Mackie [MCP, MSP]: "Re: Limit number of login attemps on Windows server 2003 - where to set this up?"
- Reply: Stuart Mackie [MCP, MSP]: "Re: Limit number of login attemps on Windows server 2003 - where to set this up?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 14 Dec 2004 14:44:38 GMT
Stuart,
Thanks for taking the time to respond. Unfortunately, I'm still confused on
a couple of points.
When you say that "The Domain Security Policy applies to all computers in
the
domain, and the Domain Controller Security Policy only applies to Domain
Controllers within your domain", it confuses me since I don't understand
what change you'd make on a DC that you wouldn't want to affect the PCs that
are connecting to the server. In other words, the way I see it, the server
exists to serve the clients, so what would you change on the DC, that you
wouldn't want to affect the client. Maybe that's because I don't really
understand what the function of the domain controller is.
You say that, The Domain Controller Security Policy takes precedence over
the Domain Security Policy. If I configure a lockout policy at the Domain
Security Policy and leave the DC Security Policy NOT configured, does that
mean that I have not actually implemented this policy? In other words, it
seems like I would have to configure it in both places since the one takes
precedence over the other.
Thanks for your help in understanding this.
David Jensen
"Stuart Mackie [MCP, MSP]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com>
wrote in message news:%23vZOJsW4EHA.524@TK2MSFTNGP09.phx.gbl...
> Hi David. The Domain Security Policy applies to all computers in the
> domain, and the Domain Controller Security Policy only applies to Domain
> Controllers within your domain. The Domain Controller Security Policy
> takes precedence over the Domain Security Policy. Therefore if you want
> to adjust the policy on your Domain Controllers without affecting the
> workstations on your network you would use the Domain Controller Security
> Policy. Whereas if you wanted to make a change that affected all systems
> on your network you would use the Domain Security Policy etc.
>
> To adjust account lockout open your Domain Security Policy and navigate to
> the folder below:
>
> Computer Configuration
> Windows Settings
> Security Settings
> Account Policies
> Account Lockout Policy
>
> There will be three options listed to allow you to adjust lockout policy.
>
> Unfortunately there can be disadvantages to applying a lockout policy. If
> you server is online and serving any websites or providing external
> services where account lockouts can apply, it is possible for DOS attacks
> to take place against user accounts as well as IIS accounts since these
> all come under the same policy.
>
> --
> Hth,
> Stuart Mackie [MCP, MSP]
> www.stu.uk.com
>
>
> "David Jensen" <djnews1@xxhealthcare.com> wrote in message
> news:PSovd.2858$2J2.746@newsread2.news.atl.earthlink.net...
>> I'm setting up a single server at our small office with Win 2003 server.
>> I want to limit the number of login attempts that a user can make before
>> being locked out. The server is acting as the one and only DC, in
>> addition to being a Terminal Server, and File server.
>>
>> I find that I have the option to set up the security settings in either
>> the Domain Controller Security Policy or the Domain Security Policy (and
>> then navigating to Security Settings/Account Policies/Account Lockout
>> Policy).
>>
>> Can someone please explain to me why the two options and what scenarios
>> would determine where I should set it up (the Domain Controller Security
>> Policy or the Domain Security Policy)? I would very much appreciate it
>> if someone could help me understand the thought process of which one to
>> use (or both, I guess), not just in this scenario but in other
>> circumstances and scenarios. In this case, my needs are to limit the
>> login attempts from a client PC trying to log into the server and/or
>> limiting the login attempts via Terminal services.
>>
>>
>> Thanks in advance
>> --
>> David Jensen
>> Replace the xx in my E-mail address with "Team" for my real E-mail
>> address
>>
>>
>
>
- Next message: derek: "WINS issue"
- Previous message: anoni: "restore dc account"
- In reply to: Stuart Mackie [MCP, MSP]: "Re: Limit number of login attemps on Windows server 2003 - where to set this up?"
- Next in thread: Stuart Mackie [MCP, MSP]: "Re: Limit number of login attemps on Windows server 2003 - where to set this up?"
- Reply: Stuart Mackie [MCP, MSP]: "Re: Limit number of login attemps on Windows server 2003 - where to set this up?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
