Re: Locked out admin account
- From: "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx>
- Date: Tue, 13 Sep 2005 21:59:48 +0200
Hi,
By default, you can't lockout Administrator, but you can use passprop tool
from Resource Kit to enable locking out for built-in Administrator account.
In Windows 2000 you can only lock it out from remote logons while in 2003
you can lock it out even from interactive logons.
Here is more
http://www.microsoft.com/technet/security/topics/serversecurity/administratoraccounts/aapgch03.mspx
*************************************************
Enable Account Lockout for Remote Administrator Logons
One way to prevent attackers from using the built-in administrator account
and password credentials is to allow the administrator account to be locked
out of the network by an account policy, after a specified number of logon
failures occur. By default, the built-in administrator account cannot be
locked out; however, you can use passprop.exe, a command-line program in the
Microsoft Windows 2000 Server Resource Kit, to enable account lockout for
remote logons that use the administrator account. When you run the passprop
utility with the /ADMINLOCKOUT switch, you make the administrator account
subject to account lockout policies. In Windows 2000 Server, this only
applies to remote logons, and because the built-in administrator account can
never be locked out from the local computer, this program allows you to
protect the administrator account from attack over the network but still
allows interactive access.
Warning: In Windows Server 2003, passprop will allow the built-in
administrator account to get locked out from interactive logons as well as
remote logons.
*************************************************
--
Mike
Microsoft MVP - Windows Security
"Phillip Windell" <@.> wrote in message
news:%23%23pfwjJuFHA.2072@xxxxxxxxxxxxxxxxxxxxxxx
>I did not think the original built in Administrator Accout could even get
> locked out,...I thought it was the one exception to the lockout policy.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
> "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
> news:%23M5yC8IuFHA.664@xxxxxxxxxxxxxxxxxxxxxxx
>> Hi,
>>
>> These tools should help you out determining what is causing the lockout
>>
>> Account Lockout and Management Tools
>>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>>
>> "Darren" <Darren@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:ED2D93BE-FADC-4C8A-A4A4-F52CB909FCBF@xxxxxxxxxxxxxxxx
>> > There is some process which keeps locking the admin account. Is there
>> > some
>> > tool on the market to help me find what is doing this. The event log
> only
>> > shows the following:
>> >
>> >
>> > Reason: Unknown user name or bad password
>> > User Name: Administrator
>> > Domain: @@@@@@@
>> > Logon Type: 4
>> > Logon Process: Advapi
>> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> >
>> > I checked all the services passwords and they seem correct.
>> >
>> >
>> >
>>
>>
>
>
.
- References:
- Re: Locked out admin account
- From: Miha Pihler [MVP]
- Re: Locked out admin account
- Prev by Date: Active Directory for small network?
- Next by Date: AD question about "first DNS server on network"
- Previous by thread: Re: Locked out admin account
- Next by thread: Active Directory for small network?
- Index(es):
Relevant Pages
|
