Exclude Admin account from Account Locked out policy

Hello,

I have windows 2003 domain. I have domain policies applied on domain level,
such as lockout policy. There are a few accounts have domain admin right. How
do I exclude these admin accounts from Account Locked out policy or other
domain policy. Thanks for the help.

Hi
Create a new policy (do not use the domain policy for this).
In the GPO properties select deny read and apply GPO to members of that
group.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.


"RayRogers" <RayRogers@news.postalias> wrote in message
news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
> Hello,
>
> I have windows 2003 domain. I have domain policies applied on domain
> level,
> such as lockout policy. There are a few accounts have domain admin right.
> How
> do I exclude these admin accounts from Account Locked out policy or other
> domain policy. Thanks for the help.

Hi, Jorge: Can you be specific on how to apply that Deny option? Admin is at
default user group currently. Can we use block policy inherritance option?
Thanks!

"Jorge Silva" wrote:

> Hi
> Create a new policy (do not use the domain policy for this).
> In the GPO properties select deny read and apply GPO to members of that
> group.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "RayRogers" <RayRogers@news.postalias> wrote in message
> news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
> > Hello,
> >
> > I have windows 2003 domain. I have domain policies applied on domain
> > level,
> > such as lockout policy. There are a few accounts have domain admin right.
> > How
> > do I exclude these admin accounts from Account Locked out policy or other
> > domain policy. Thanks for the help.
>

the current domain policy settings are configured in the computer part of it
and therefore these apply to DCs when these "evaluate accounts" to change
the password or to lockout. You can have ONLY ONE password and account
lockout policy in ANY AD Domain! Windows Server 2008 introduces multiple
password and account lockout policies through PSOs when the DFL = at least
w2k8

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"RayRogers" <RayRogers@news.postalias> wrote in message
news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
> Hello,
>
> I have windows 2003 domain. I have domain policies applied on domain
> level,
> such as lockout policy. There are a few accounts have domain admin right.
> How
> do I exclude these admin accounts from Account Locked out policy or other
> domain policy. Thanks for the help.

isn't the password and account lockout policy applied to DCs and "evaluated
by the DCs for domain accounts"? what is the meaning of what you are saying?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:9FDBA69B-3833-4EEF-88F2-112E83651EEB@microsoft.com...
> Hi
> Create a new policy (do not use the domain policy for this).
> In the GPO properties select deny read and apply GPO to members of that
> group.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MCSE, MVP Directory Services
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "RayRogers" <RayRogers@news.postalias> wrote in message
> news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
>> Hello,
>>
>> I have windows 2003 domain. I have domain policies applied on domain
>> level,
>> such as lockout policy. There are a few accounts have domain admin right.
>> How
>> do I exclude these admin accounts from Account Locked out policy or other
>> domain policy. Thanks for the help.
>

The domain policy is the only place you can apply this value in order to be
applied. If you start messing around with this you are just asking for
trouble. I would expect your domain admins to have a higher level of
security requirements not lower, you shouldn't work to lower their level of
security. This is a really bad idea and one I would highly discourage it.
The administrator account itself will never lockout.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"RayRogers" <RayRogers@news.postalias> wrote in message
news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
> Hello,
>
> I have windows 2003 domain. I have domain policies applied on domain
> level,
> such as lockout policy. There are a few accounts have domain admin right.
> How
> do I exclude these admin accounts from Account Locked out policy or other
> domain policy. Thanks for the help.

Hi Paul:

It seem default admin account never locked out. Will the admin accounts we
created be locked out? It seems this happens.

Thanks.

"Paul Bergson" wrote:

> The domain policy is the only place you can apply this value in order to be
> applied. If you start messing around with this you are just asking for
> trouble. I would expect your domain admins to have a higher level of
> security requirements not lower, you shouldn't work to lower their level of
> security. This is a really bad idea and one I would highly discourage it.
> The administrator account itself will never lockout.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
> "RayRogers" <RayRogers@news.postalias> wrote in message
> news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
> > Hello,
> >
> > I have windows 2003 domain. I have domain policies applied on domain
> > level,
> > such as lockout policy. There are a few accounts have domain admin right.
> > How
> > do I exclude these admin accounts from Account Locked out policy or other
> > domain policy. Thanks for the help.
>

[dkumar]

The other way - Create an OU and just set it to block policy inheritance. Make sure the Domain level policy is not set to No override. Using this the new OU doesn't have any policy applied.

locking out the default domain admin....

see:
http://blogs.dirteam.com/blogs/jorge...21003F00_.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"RayRogers" <RayRogers@news.postalias> wrote in message
news:54378FFC-78EE-4AC5-A795-122E8136FC6D@microsoft.com...
> Hi Paul:
>
> It seem default admin account never locked out. Will the admin accounts we
> created be locked out? It seems this happens.
>
> Thanks.
>
> "Paul Bergson" wrote:
>
>> The domain policy is the only place you can apply this value in order to
>> be
>> applied. If you start messing around with this you are just asking for
>> trouble. I would expect your domain admins to have a higher level of
>> security requirements not lower, you shouldn't work to lower their level
>> of
>> security. This is a really bad idea and one I would highly discourage
>> it.
>> The administrator account itself will never lockout.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>> "RayRogers" <RayRogers@news.postalias> wrote in message
>> news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
>> > Hello,
>> >
>> > I have windows 2003 domain. I have domain policies applied on domain
>> > level,
>> > such as lockout policy. There are a few accounts have domain admin
>> > right.
>> > How
>> > do I exclude these admin accounts from Account Locked out policy or
>> > other
>> > domain policy. Thanks for the help.
>>

will not work

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"dkumar" <dkumar.3kcire@DoNotSpam.com> wrote in message
news:dkumar.3kcire@DoNotSpam.com...
>
> The other way - Create an OU and just set it to block policy
> inheritance. Make sure the Domain level policy is not set to No
> override. Using this the new OU doesn't have any policy applied.
>
>
> --
> dkumar
> ------------------------------------------------------------------------
> dkumar's Profile: http://forums.techarena.in/members/dkumar.htm
> View this thread: Exclude Admin account from Account Locked out policy
>
> http://forums.techarena.in
>

I forgot that you're talking about password policy. In fact (as Jorge said)
you can only have 1 password policy per domain if you're not using 2008, the
Administrator account in fact locks, but the system unlocks that account
automatically...

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.


"RayRogers" <RayRogers@news.postalias> wrote in message
news:AF21443F-48B8-4DFC-8A0F-2AEFB2CD8F65@microsoft.com...
> Hi, Jorge: Can you be specific on how to apply that Deny option? Admin is
> at
> default user group currently. Can we use block policy inherritance option?
> Thanks!
>
> "Jorge Silva" wrote:
>
>> Hi
>> Create a new policy (do not use the domain policy for this).
>> In the GPO properties select deny read and apply GPO to members of that
>> group.
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MCSE, MVP Directory Services
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "RayRogers" <RayRogers@news.postalias> wrote in message
>> news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
>> > Hello,
>> >
>> > I have windows 2003 domain. I have domain policies applied on domain
>> > level,
>> > such as lockout policy. There are a few accounts have domain admin
>> > right.
>> > How
>> > do I exclude these admin accounts from Account Locked out policy or
>> > other
>> > domain policy. Thanks for the help.
>>

Curious tid bit of info. Didn't know that. End effect is, it doesn't
require unlocking.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail .com> wrote in message
news:eNjeFdRXJHA.4628@TK2MSFTNGP02.phx.gbl...
> locking out the default domain admin....
>
> see:
> http://blogs.dirteam.com/blogs/jorge...21003F00_.aspx
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
>
> "RayRogers" <RayRogers@news.postalias> wrote in message
> news:54378FFC-78EE-4AC5-A795-122E8136FC6D@microsoft.com...
>> Hi Paul:
>>
>> It seem default admin account never locked out. Will the admin accounts
>> we
>> created be locked out? It seems this happens.
>>
>> Thanks.
>>
>> "Paul Bergson" wrote:
>>
>>> The domain policy is the only place you can apply this value in order to
>>> be
>>> applied. If you start messing around with this you are just asking for
>>> trouble. I would expect your domain admins to have a higher level of
>>> security requirements not lower, you shouldn't work to lower their level
>>> of
>>> security. This is a really bad idea and one I would highly discourage
>>> it.
>>> The administrator account itself will never lockout.
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup This
>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>> "RayRogers" <RayRogers@news.postalias> wrote in message
>>> news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
>>> > Hello,
>>> >
>>> > I have windows 2003 domain. I have domain policies applied on domain
>>> > level,
>>> > such as lockout policy. There are a few accounts have domain admin
>>> > right.
>>> > How
>>> > do I exclude these admin accounts from Account Locked out policy or
>>> > other
>>> > domain policy. Thanks for the help.
>>>

The administrators account will not lockout (Unless you read Jorge's
article, but net effect it doesn't really block you from logging on) but
other domain admin accounts will lock out.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"RayRogers" <RayRogers@news.postalias> wrote in message
news:54378FFC-78EE-4AC5-A795-122E8136FC6D@microsoft.com...
> Hi Paul:
>
> It seem default admin account never locked out. Will the admin accounts we
> created be locked out? It seems this happens.
>
> Thanks.
>
> "Paul Bergson" wrote:
>
>> The domain policy is the only place you can apply this value in order to
>> be
>> applied. If you start messing around with this you are just asking for
>> trouble. I would expect your domain admins to have a higher level of
>> security requirements not lower, you shouldn't work to lower their level
>> of
>> security. This is a really bad idea and one I would highly discourage
>> it.
>> The administrator account itself will never lockout.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>> "RayRogers" <RayRogers@news.postalias> wrote in message
>> news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
>> > Hello,
>> >
>> > I have windows 2003 domain. I have domain policies applied on domain
>> > level,
>> > such as lockout policy. There are a few accounts have domain admin
>> > right.
>> > How
>> > do I exclude these admin accounts from Account Locked out policy or
>> > other
>> > domain policy. Thanks for the help.
>>

So Non-default administrators account can be locked out, right?
And the following method will not work:
Create an OU and just set it to block policy inheritance. Make sure the
Domain level policy is not set to No override. Using this the new OU doesn't
have any policy applied.

Thanks for clarification.

"Jorge de Almeida Pinto [MVP - DS]" wrote:

> the current domain policy settings are configured in the computer part of it
> and therefore these apply to DCs when these "evaluate accounts" to change
> the password or to lockout. You can have ONLY ONE password and account
> lockout policy in ANY AD Domain! Windows Server 2008 introduces multiple
> password and account lockout policies through PSOs when the DFL = at least
> w2k8
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
>
> "RayRogers" <RayRogers@news.postalias> wrote in message
> news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
> > Hello,
> >
> > I have windows 2003 domain. I have domain policies applied on domain
> > level,
> > such as lockout policy. There are a few accounts have domain admin right.
> > How
> > do I exclude these admin accounts from Account Locked out policy or other
> > domain policy. Thanks for the help.
>
>

like I explained earlier, the password and account lockout policies are
applied by the DCs which use the settings to enforce users do something

short answer to your question: NO, it will not work

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"RayRogers" <RayRogers@news.postalias> wrote in message
news:BD401C06-FA83-49D0-B85D-83310FD4DE76@microsoft.com...
> So Non-default administrators account can be locked out, right?
> And the following method will not work:
> Create an OU and just set it to block policy inheritance. Make sure the
> Domain level policy is not set to No override. Using this the new OU
> doesn't
> have any policy applied.
>
> Thanks for clarification.
>
> "Jorge de Almeida Pinto [MVP - DS]" wrote:
>
>> the current domain policy settings are configured in the computer part of
>> it
>> and therefore these apply to DCs when these "evaluate accounts" to change
>> the password or to lockout. You can have ONLY ONE password and account
>> lockout policy in ANY AD Domain! Windows Server 2008 introduces multiple
>> password and account lockout policies through PSOs when the DFL = at
>> least
>> w2k8
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>>
>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ------------------------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test ANY suggestion in a test environment before implementing!
>> ------------------------------------------------------------------------------------------
>> #################################################
>> #################################################
>> ------------------------------------------------------------------------------------------
>>
>> "RayRogers" <RayRogers@news.postalias> wrote in message
>> news:8982F065-CEBD-41AC-8B7D-299FAA999961@microsoft.com...
>> > Hello,
>> >
>> > I have windows 2003 domain. I have domain policies applied on domain
>> > level,
>> > such as lockout policy. There are a few accounts have domain admin
>> > right.
>> > How
>> > do I exclude these admin accounts from Account Locked out policy or
>> > other
>> > domain policy. Thanks for the help.
>>
>>