Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Set AD account to never lock out?
Set AD account to never lock out? [message #394973] Fri, 19 February 2010 05:00 Go to next message
Peter[1]  is currently offline Peter[1]  United Kingdom
Messages: 76
Registered: August 2009
Member
Hi,

Is it possible to make an AD account never lock out like the admin user
account?

Thanks
Re: Set AD account to never lock out? [message #394978 is a reply to message #394973] Fri, 19 February 2010 05:09 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Whiteford,

Configure the Account lockout settings so the domain accounts wan't lock.

Basically the Administrator also will lock, but it automatically unlocks
so you wan't realize it and AFAIK this cannot be done for other accounts.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> Is it possible to make an AD account never lock out like the admin
> user account?
>
> Thanks
>
Re: Set AD account to never lock out? [message #395006 is a reply to message #394978] Fri, 19 February 2010 06:25 Go to previous messageGo to next message
Peter[1]  is currently offline Peter[1]  United Kingdom
Messages: 76
Registered: August 2009
Member
Hi,

I want the rest of the AD domain accounts to lock out but just not the new
account I have created.

Where is this setting?

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911ddad18cc7f7bf6cc8888@msnews.microsoft.com...
> Hello Whiteford,
>
> Configure the Account lockout settings so the domain accounts wan't lock.
>
> Basically the Administrator also will lock, but it automatically unlocks
> so you wan't realize it and AFAIK this cannot be done for other accounts.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi,
>>
>> Is it possible to make an AD account never lock out like the admin
>> user account?
>>
>> Thanks
>>
>
>
Re: Set AD account to never lock out? [message #395096 is a reply to message #395006] Fri, 19 February 2010 08:16 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Whiteford wrote:
> Hi,
>
> I want the rest of the AD domain accounts to lock out but just not
> the new account I have created.
>
> Where is this setting?

To mix and match account lockouts within a domain, you'd need to be at
Server 2008 domain functional level and implement a fine grained password
(&lockout) policy applying to your 'exempted' accounts.


>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911ddad18cc7f7bf6cc8888@msnews.microsoft.com...
>> Hello Whiteford,
>>
>> Configure the Account lockout settings so the domain accounts wan't
>> lock. Basically the Administrator also will lock, but it automatically
>> unlocks so you wan't realize it and AFAIK this cannot be done for
>> other accounts. Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> Hi,
>>>
>>> Is it possible to make an AD account never lock out like the admin
>>> user account?
>>>
>>> Thanks

--
/kj
Re: Set AD account to never lock out? [message #395108 is a reply to message #395096] Fri, 19 February 2010 08:36 Go to previous messageGo to next message
Peter[1]  is currently offline Peter[1]  United Kingdom
Messages: 76
Registered: August 2009
Member
I see, so only the default admin username can do this in 2003? We are
basically trying to change our domain admin username and password, so I
thought rather than change the default one, I would create a copy and we
phase in each server. We don't want a big bang approach and change the
admin password and find server having issues.

"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:OjccEaXsKHA.3656@TK2MSFTNGP06.phx.gbl...
> Whiteford wrote:
>> Hi,
>>
>> I want the rest of the AD domain accounts to lock out but just not
>> the new account I have created.
>>
>> Where is this setting?
>
> To mix and match account lockouts within a domain, you'd need to be at
> Server 2008 domain functional level and implement a fine grained password
> (&lockout) policy applying to your 'exempted' accounts.
>
>
>>
>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>> news:6cb2911ddad18cc7f7bf6cc8888@msnews.microsoft.com...
>>> Hello Whiteford,
>>>
>>> Configure the Account lockout settings so the domain accounts wan't
>>> lock. Basically the Administrator also will lock, but it automatically
>>> unlocks so you wan't realize it and AFAIK this cannot be done for
>>> other accounts. Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>
>>>> Hi,
>>>>
>>>> Is it possible to make an AD account never lock out like the admin
>>>> user account?
>>>>
>>>> Thanks
>
> --
> /kj
>
Re: Set AD account to never lock out? [message #395124 is a reply to message #395108] Fri, 19 February 2010 08:52 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Whiteford" <no@no.com> wrote in message
news:OYZaFlXsKHA.5936@TK2MSFTNGP04.phx.gbl...
>I see, so only the default admin username can do this in 2003? We are
>basically trying to change our domain admin username and password, so I
>thought rather than change the default one, I would create a copy and we
>phase in each server. We don't want a big bang approach and change the
>admin password and find server having issues.
>

If I understand what you're saying, you want to rename the default Domain
Administrator account, or instead of renaming it, create another user
account and put it in the Domain Administrators Group? If so, I can't see
how that would affect any servers, and I *assume* you mean introducing new
Windows 2008 domain controllers into the domain.

Otherwise, if I misunderstood, can you elaborate and possibly provide an
example?

Thanks,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Re: Set AD account to never lock out? [message #395132 is a reply to message #395108] Fri, 19 February 2010 09:05 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Whiteford wrote:
> I see, so only the default admin username can do this in 2003? We are
> basically trying to change our domain admin username and password, so
> I thought rather than change the default one, I would create a copy
> and we phase in each server. We don't want a big bang approach and
> change the admin password and find server having issues.
>

Yes, only the default admin account. If you rename it, it's still the
default admin account and still will not (effectivly) lockout.

Any new account regardless of the name is subject to the domain or FGP/PSO
lockout settings.


> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:OjccEaXsKHA.3656@TK2MSFTNGP06.phx.gbl...
>> Whiteford wrote:
>>> Hi,
>>>
>>> I want the rest of the AD domain accounts to lock out but just not
>>> the new account I have created.
>>>
>>> Where is this setting?
>>
>> To mix and match account lockouts within a domain, you'd need to be
>> at Server 2008 domain functional level and implement a fine grained
>> password (&lockout) policy applying to your 'exempted' accounts.
>>
>>
>>>
>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>>> news:6cb2911ddad18cc7f7bf6cc8888@msnews.microsoft.com...
>>>> Hello Whiteford,
>>>>
>>>> Configure the Account lockout settings so the domain accounts wan't
>>>> lock. Basically the Administrator also will lock, but it
>>>> automatically unlocks so you wan't realize it and AFAIK this
>>>> cannot be done for other accounts. Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>
>>>>> Hi,
>>>>>
>>>>> Is it possible to make an AD account never lock out like the admin
>>>>> user account?
>>>>>
>>>>> Thanks
>>
>> --
>> /kj

--
/kj
Re: Set AD account to never lock out? [message #395174 is a reply to message #395124] Fri, 19 February 2010 09:33 Go to previous messageGo to next message
Peter[1]  is currently offline Peter[1]  United Kingdom
Messages: 76
Registered: August 2009
Member
You are 99% (apologies for my explanation).

In our AD 2003 domain, we have be told we need to change the Administrators
password, but I don't want to change it a many servers will stop working,
plus there must be some hard coded scripts somewhere using these
credentials. I though I could copy the Administrator account and then login
to each server over a matter of dates to make sure the server is ok. If we
just change the Administrator password I think lots of areas will stop
working. It would be nice to just focus on one server at a time.

"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:#13EcuXsKHA.4752@TK2MSFTNGP04.phx.gbl...
> "Whiteford" <no@no.com> wrote in message
> news:OYZaFlXsKHA.5936@TK2MSFTNGP04.phx.gbl...
>>I see, so only the default admin username can do this in 2003? We are
>>basically trying to change our domain admin username and password, so I
>>thought rather than change the default one, I would create a copy and we
>>phase in each server. We don't want a big bang approach and change the
>>admin password and find server having issues.
>>
>
> If I understand what you're saying, you want to rename the default Domain
> Administrator account, or instead of renaming it, create another user
> account and put it in the Domain Administrators Group? If so, I can't see
> how that would affect any servers, and I *assume* you mean introducing new
> Windows 2008 domain controllers into the domain.
>
> Otherwise, if I misunderstood, can you elaborate and possibly provide an
> example?
>
> Thanks,
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>
Re: Set AD account to never lock out? [message #395267 is a reply to message #395174] Fri, 19 February 2010 10:58 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Whiteford" <no@no.com> wrote in message
news:%23o9Q1EYsKHA.5036@TK2MSFTNGP02.phx.gbl...
> You are 99% (apologies for my explanation).
>
> In our AD 2003 domain, we have be told we need to change the
> Administrators password, but I don't want to change it a many servers will
> stop working, plus there must be some hard coded scripts somewhere using
> these credentials. I though I could copy the Administrator account and
> then login to each server over a matter of dates to make sure the server
> is ok. If we just change the Administrator password I think lots of areas
> will stop working. It would be nice to just focus on one server at a
> time.
>


I see. If you had used the default Domain Administrator account for services
and apps, that can be an issue. I've seen that happen numerous times with
various services and apps. Take BackupExec, for example. If you used the
Domain Admin account, and rename it, you have to go into BackupExec's
services and specify the change. You don't have to go to each server to test
logging on, which it will work fine once you change the password, unless you
mean you have that many apps and services that are running on all of your
servers that use the default Domain Admin account.

As you've found, it is a better practice to create a custom account jsut for
the service to use. This way, if you ever rename the default domain Admin
account, not problems.

I would suggest to then go ahead and create a separate individual accounts
for EACH service and app running to use, and change them one by one. And
depending on the service or app, they more than likely do NOT need to be in
the domain admin group, rather provide specific permissions for them to use
to do their jobs. If you are not sure of those permissions, check wtih the
app or service's vendor website and documentation.

Ace
Re: Set AD account to never lock out? [message #395871 is a reply to message #395006] Sat, 20 February 2010 03:38 Go to previous message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Whiteford,

As already mentioned from the others, for one account only you need Windows
server 2008 with functional level 2008, no earlier OS DCs are allowed, to
configure fine grained password policies.

For service accounts you shouldn't use the administrator as you run into
exactly the problems where you are now.

So i suggest to find and reconfigure all service accounts, scripts etc.,
to domain users with the needed permissions only to free the administrator
account from this.

Renaming the administrator will not really help you in your case. I would
create new accounts as described above. Of course you can create additional
accounts and add them to the domain administrators group also.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> I want the rest of the AD domain accounts to lock out but just not the
> new account I have created.
>
> Where is this setting?
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911ddad18cc7f7bf6cc8888@msnews.microsoft.com...
>
>> Hello Whiteford,
>>
>> Configure the Account lockout settings so the domain accounts wan't
>> lock.
>>
>> Basically the Administrator also will lock, but it automatically
>> unlocks so you wan't realize it and AFAIK this cannot be done for
>> other accounts.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi,
>>>
>>> Is it possible to make an AD account never lock out like the admin
>>> user account?
>>>
>>> Thanks
>>>
Previous Topic:marvendas@gmail.com Kit completo de Solenoides ( solenoid ) + chicote Para Cambio automatico 01M h
Next Topic:Logon issues when local DC goes down
Goto Forum:
  


Current Time: Thu Jan 18 20:50:53 MST 2018

Total time taken to generate the page: 0.10034 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software