|
Posted by Joe Richards [MVP] on October 22, 2006, 1:15 am
Please log in for more thread options
Special hardcoded functionality.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Scott Shoemaker wrote:
> OK,
> That is pretty much what I thought, but I appreciate the confirmation from
> Steve and yourself. So, how is it that the Administrator account is not
> subject to this policy?
>
> -Scott
>
> "Joe Richards [MVP]" wrote:
>
>> No you cannot set accounts to not lock. You either have the locking
>> policy or you don't. Some places will create an additional domain for
>> service accounts. A better solution is to use network service or local
>> service instead of userids or as Steve suggests get away from using
>> lockouts at all or change your use of them.
>>
>> If you must have lockouts, consider switching to a short lockout
>> duration so that a lockout on the account doesn't completely black out
>> the service. This is an attack vector as indicated by Steve.
>>
>> joe
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> Author of O'Reilly Active Directory Third Edition
>> www.joeware.net
>>
>>
>> ---O'Reilly Active Directory Third Edition now available---
>>
>> http://www.joeware.net/win/ad3e.htm
>>
>>
>> Scott Shoemaker wrote:
>>> Hi,
>>> We have a domain policy which dictates that locked accounts stay locked
>>> until they are unlocked. Last week, a domain account that is used to run a
>>> service got locked and brought an application down. So, is there any way to
>>> specifiy on an individual account that it should not be locked? As a follow
>>> on question, how is this accomplished on the Administrator account?
>>>
>>> Thanks,
>>> Scott
| 
XML Sitemap