Re: Limit number of login attemps on Windows server 2003 - where to set this up?
From: Stuart Mackie [MCP, MSP] (newsgroups_at_--REMOVE_THIS-NO_SPAM--stu.uk.com)
Date: 12/19/04
- Next message: Torgeir Bakken \(MVP\): "Re: Question about a logonscript"
- Previous message: Michael Halupek: "Server Windows 2003 problems after reboot (terminal server, network, services, storage errors)"
- In reply to: David Jensen: "Re: Limit number of login attemps on Windows server 2003 - where to set this up?"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 19 Dec 2004 15:28:26 -0000
Hi David. Sorry for taking as long to reply on this.
An example change which you would make using the DC Security Policy and not
on the general Domain Policy would be something like Auditing. You may want
to Audit certain events on your Domain Controllers for security, but do not
want to audit these events on all workstations. In this case you would
change the policy in the DC Security Policy and it would only apply to your
Domain Controllers.
If you leave a policy setting 'disabled' on the DC Policy it has no effect
on the Domain Policy. In terms of your example, if you configure a lockout
policy in your Domain Policy and leave the partciular policy setting
disabled in your DC Policy, the settings you make will apply to all machines
and will not be affected by the disabled DC Policy. If on the other hand
you configured the lockout policy in your Domain Policy for 5 incorrect
attempts, then configured the DC Policy for 2 incorrect attempts, all the
workstations and non Domain Controllers in your domain would use the 5
incorrect attempts rule, while your Domain Controllers would use the 2
incorrect attempts. The DC Policy will take precedence over the Domain
Policy, but only on the Domain Controllers. The DC Policy has no effect on
workstations etc.
Please let me know if there is anything you are still unsure of.
-- Hath, Stuart Mackie [MCP, MSP] www.stu.uk.com "David Jensen" <djnews1@xxhealthcare.com> wrote in message news:q%Cvd.3622$2J2.3152@newsread2.news.atl.earthlink.net... > Stuart, > > Thanks for taking the time to respond. Unfortunately, I'm still confused > on a couple of points. > > When you say that "The Domain Security Policy applies to all computers in > the > domain, and the Domain Controller Security Policy only applies to Domain > Controllers within your domain", it confuses me since I don't understand > what change you'd make on a DC that you wouldn't want to affect the PCs > that are connecting to the server. In other words, the way I see it, the > server exists to serve the clients, so what would you change on the DC, > that you wouldn't want to affect the client. Maybe that's because I don't > really understand what the function of the domain controller is. > > You say that, The Domain Controller Security Policy takes precedence over > the Domain Security Policy. If I configure a lockout policy at the Domain > Security Policy and leave the DC Security Policy NOT configured, does that > mean that I have not actually implemented this policy? In other words, it > seems like I would have to configure it in both places since the one takes > precedence over the other. > > Thanks for your help in understanding this. > > David Jensen > > > "Stuart Mackie [MCP, MSP]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com> > wrote in message news:%23vZOJsW4EHA.524@TK2MSFTNGP09.phx.gbl... >> Hi David. The Domain Security Policy applies to all computers in the >> domain, and the Domain Controller Security Policy only applies to Domain >> Controllers within your domain. The Domain Controller Security Policy >> takes precedence over the Domain Security Policy. Therefore if you want >> to adjust the policy on your Domain Controllers without affecting the >> workstations on your network you would use the Domain Controller Security >> Policy. Whereas if you wanted to make a change that affected all systems >> on your network you would use the Domain Security Policy etc. >> >> To adjust account lockout open your Domain Security Policy and navigate >> to the folder below: >> >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> >> There will be three options listed to allow you to adjust lockout policy. >> >> Unfortunately there can be disadvantages to applying a lockout policy. >> If you server is online and serving any websites or providing external >> services where account lockouts can apply, it is possible for DOS attacks >> to take place against user accounts as well as IIS accounts since these >> all come under the same policy. >> >> -- >> Hth, >> Stuart Mackie [MCP, MSP] >> www.stu.uk.com >> >> >> "David Jensen" <djnews1@xxhealthcare.com> wrote in message >> news:PSovd.2858$2J2.746@newsread2.news.atl.earthlink.net... >>> I'm setting up a single server at our small office with Win 2003 server. >>> I want to limit the number of login attempts that a user can make before >>> being locked out. The server is acting as the one and only DC, in >>> addition to being a Terminal Server, and File server. >>> >>> I find that I have the option to set up the security settings in either >>> the Domain Controller Security Policy or the Domain Security Policy (and >>> then navigating to Security Settings/Account Policies/Account Lockout >>> Policy). >>> >>> Can someone please explain to me why the two options and what scenarios >>> would determine where I should set it up (the Domain Controller Security >>> Policy or the Domain Security Policy)? I would very much appreciate it >>> if someone could help me understand the thought process of which one to >>> use (or both, I guess), not just in this scenario but in other >>> circumstances and scenarios. In this case, my needs are to limit the >>> login attempts from a client PC trying to log into the server and/or >>> limiting the login attempts via Terminal services. >>> >>> >>> Thanks in advance >>> -- >>> David Jensen >>> Replace the xx in my E-mail address with "Team" for my real E-mail >>> address >>> >>> >> >> > >
- Next message: Torgeir Bakken \(MVP\): "Re: Question about a logonscript"
- Previous message: Michael Halupek: "Server Windows 2003 problems after reboot (terminal server, network, services, storage errors)"
- In reply to: David Jensen: "Re: Limit number of login attemps on Windows server 2003 - where to set this up?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
