Service Accounts & Account Lock out Policy

TheMSsForum.com: The Microsoft Software Forum

Hi,
I want to enable an account lock-out policy to restrict up to 5 bad logons.
I don't want to this policy to apply to the Service accounts used by the
applications as it will lock-out the service account and will stop it.
Is there is any way to accomplish this??

Note: the Policy I am trying to use is the Default Domain policy as I want
the same policy to be applied to all users across the domain.
Top

Re: Service Accounts & Account Lock out Policy by jwgoerlich

jwgoerlich
Thu Feb 15 08:29:08 CST 2007

At a high level, the following would accomplish your goal:

1) Setup the service accounts as follows. Create a group, Service
Accounts. Make all of your service accounts a member of this group.
Set their primary group to be Service Accounts. Remove their
membership to Domain Users.

2) Create a new GPO with the appropriate password policies. Do not use
the default domain policy. Creating the policy at the root of the
domain means that it is "applied to all users across the domain."

3) Remove Authenticated Users from the GPO. Apply it to the Domain
Users group.

Hope this helps. If you need any clarification on these, just ask.

J Wolfgang Goerlich

On Feb 15, 3:41 am, Feras Mustafa
<FerasMust...@discussions.microsoft.com> wrote:
> Hi,
> I want to enable an account lock-out policy to restrict up to 5 bad logons.
> I don't want to this policy to apply to the Service accounts used by the
> applications as it will lock-out the service account and will stop it.
> Is there is any way to accomplish this??
>
> Note: the Policy I am trying to use is the Default Domain policy as I want
> the same policy to be applied to all users across the domain.


Top

Re: Service Accounts & Account Lock out Policy by Paul

Paul
Thu Feb 15 09:03:30 CST 2007

In article <1171549748.501362.86470
@k78g2000cwa.googlegroups.com>, in the microsoft.public.security
news group, <jwgoerlich@gmail.com> says...

> At a high level, the following would accomplish your goal:
>
> 1) Setup the service accounts as follows. Create a group, Service
> Accounts. Make all of your service accounts a member of this group.
> Set their primary group to be Service Accounts. Remove their
> membership to Domain Users.
>
> 2) Create a new GPO with the appropriate password policies. Do not use
> the default domain policy. Creating the policy at the root of the
> domain means that it is "applied to all users across the domain."

This won't work. Account policies can only be applied at the
domain level and they apply to all domain users, regardless of
group membership or security filtering on the GPO. The only
thing your suggested solution will accomplish is to affect the
account policies for local accounts on the machines to which the
GPO applies.

>
> 3) Remove Authenticated Users from the GPO. Apply it to the Domain
> Users group.

Again, this won't work. Account policies are computer policies
so they are applied to computers even though they ultimately
impact user accounts.

>
> Hope this helps. If you need any clarification on these, just ask.
>

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca
"The English language, complete with irony, satire, and sarcasm,
has survived for centuries without smileys. Only the new crop of
modern computer geeks finds it impossible to detect a joke that
is not clearly labeled as such."
Ray Shea
Top

Re: Service Accounts & Account Lock out Policy by Joe

Joe
Thu Feb 15 13:23:44 CST 2007

Totally shot from the hip there didn't you J Wolfgang.... ;o)

This obviously will not work.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


jwgoerlich@gmail.com wrote:
> At a high level, the following would accomplish your goal:
>
> 1) Setup the service accounts as follows. Create a group, Service
> Accounts. Make all of your service accounts a member of this group.
> Set their primary group to be Service Accounts. Remove their
> membership to Domain Users.
>
> 2) Create a new GPO with the appropriate password policies. Do not use
> the default domain policy. Creating the policy at the root of the
> domain means that it is "applied to all users across the domain."
>
> 3) Remove Authenticated Users from the GPO. Apply it to the Domain
> Users group.
>
> Hope this helps. If you need any clarification on these, just ask.
>
> J Wolfgang Goerlich
>
> On Feb 15, 3:41 am, Feras Mustafa
> <FerasMust...@discussions.microsoft.com> wrote:
>> Hi,
>> I want to enable an account lock-out policy to restrict up to 5 bad logons.
>> I don't want to this policy to apply to the Service accounts used by the
>> applications as it will lock-out the service account and will stop it.
>> Is there is any way to accomplish this??
>>
>> Note: the Policy I am trying to use is the Default Domain policy as I want
>> the same policy to be applied to all users across the domain.
>
>
Top

Re: Service Accounts & Account Lock out Policy by Joe

Joe
Thu Feb 15 13:30:21 CST 2007

You cannot. The lockout policy is domain wide and there is no way to
specify exemptions.

Also I would say that 5 bads is extremely low and will likely be
counterproductive and cause you more issues than it is worth. The idea
behind lockouts is to prevent automated systems from brute force hacking
a password via sending tens hundreds or thousands of passwords a
minute. If you set the policy as low as 25 with a five minute lockout
reset this should be more than adequate to prevent brute force attacks
and not completely piss off your users when they fat finger.

In every case I have seen low values for lockout counts implemented I
have seen false positive lockouts increase considerably. When you get
into the silly levels of 3-5 bads your false positives can reach up into
the 30-50% range. There are programs (and OS revisions) out there that
will cause 3 bad authentications for every logon attempt as different
security providers are used.

Another item... You should try to avoid using the same service ID for
multiple machines/services. This is one of the primary causes of service
ID lockouts because when the IDs are changed then if you don't do it
properly, you have multiple machines all trying to use the old bad one.
If you absolutely MUST use the same ID for normal use, then you can try
to stagger the password changes by using ServiceID1, ServiceID2, etc and
then when you initially setup you set the password to ServiceID1 and
configue the services. Then when you need to change the password you set
the new password on ServiceID2 and then change the services to use that
ID and the password it should be using.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Feras Mustafa wrote:
> Hi,
> I want to enable an account lock-out policy to restrict up to 5 bad logons.
> I don't want to this policy to apply to the Service accounts used by the
> applications as it will lock-out the service account and will stop it.
> Is there is any way to accomplish this??
>
> Note: the Policy I am trying to use is the Default Domain policy as I want
> the same policy to be applied to all users across the domain.
>
Top

Re: Service Accounts & Account Lock out Policy by jwgoerlich

jwgoerlich
Fri Feb 16 10:17:31 CST 2007

Joe Richards wrote:
> Totally shot from the hip there didn't you J Wolfgang.... ;o)

Ayup, you got it. I mistook Account Policies for user-based policies.

Here's a thought, since most users work on the desktops and most
service accounts run on servers, couldn't you create an OU just for
the desktop workstations and apply the GPO at that level?

Cheers,

J Wolfgang Goerlich

Top

Re: Service Accounts & Account Lock out Policy by Paul

Paul
Fri Feb 16 10:22:18 CST 2007

In article <1171642650.918286.295210
@a75g2000cwd.googlegroups.com>, in the microsoft.public.security
news group, <jwgoerlich@gmail.com> says...

> Ayup, you got it. I mistook Account Policies for user-based policies.
>
> Here's a thought, since most users work on the desktops and most
> service accounts run on servers, couldn't you create an OU just for
> the desktop workstations and apply the GPO at that level?
>

No, see my reply to your earlier post in this thread.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca
"The English language, complete with irony, satire, and sarcasm,
has survived for centuries without smileys. Only the new crop of
modern computer geeks finds it impossible to detect a joke that
is not clearly labeled as such."
Ray Shea
Top

Re: Service Accounts & Account Lock out Policy by Joe

Joe
Fri Feb 16 14:55:21 CST 2007

Account Policies for domain accounts are handled by the GPOs making
changes to th domain controllers, not to user accounts, not to
workstations. There is no way currently to manage policies on a user or
OU basis for domain users.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


jwgoerlich@gmail.com wrote:
> Joe Richards wrote:
>> Totally shot from the hip there didn't you J Wolfgang.... ;o)
>
> Ayup, you got it. I mistook Account Policies for user-based policies.
>
> Here's a thought, since most users work on the desktops and most
> service accounts run on servers, couldn't you create an OU just for
> the desktop workstations and apply the GPO at that level?
>
> Cheers,
>
> J Wolfgang Goerlich
>
Top