Announcement

Collapse
No announcement yet.

Account lockout duration For Specific User

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Account lockout duration For Specific User

    Hi all,

    I have delegated Some administrative privileges to a certain user on a very remote site of my domain.
    The user has a complete control over a certain OU.
    The main problem is that if the user locks out he needs my help to unlock him.
    I need to give him an 'Account lockout duration' beriod but i want it to apply ONLY
    to him.

    If i apply it to a certain computer then all user password's can be potentially tried and unlocked on this machine and hence i see it as a security risk.

    Is there a way i can apply the Account lockout duration to a user and not a machine?
    Where is it defined that the domain Administrator account never locks out?maybe this can help...

    Thanks Alot,

  • #2
    Re: Account lockout duration For Specific User

    Account lockout duration is a domain-wide setting; whether the "domain" is an Active Directory or an individual machine. It cannot be applied to a smaller boundary than the entire "domain".


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Account lockout duration For Specific User

      Originally posted by Stonelaughter View Post
      Account lockout duration is a domain-wide setting; whether the "domain" is an Active Directory or an individual machine. It cannot be applied to a smaller boundary than the entire "domain".

      Cant a different policy be applied to a specific OU ????

      Comment


      • #4
        Re: Account lockout duration For Specific User

        Originally posted by [email protected] View Post
        Cant a different policy be applied to a specific OU ????
        No, because you want to set the policy for domain accounts stored in AD on the DC and not (not in the first place) for local accounts only.
        'If' only for the local user accounts stored on each computer, then yes link it to the OU with workstations.

        \Rem
        Last edited by Rems; 27th February 2007, 20:10.

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Account lockout duration For Specific User

          To expand upon what REMS said, any policy containing "Domain Only" settings linked to an OU will be utterly ignored... unless there are machines within the OU. Then, the policy will be applied to the LOCAL user accounts in the machines in the OU.


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: Account lockout duration For Specific User

            Originally posted by Stonelaughter View Post
            To expand upon what REMS said, any policy containing "Domain Only" settings linked to an OU will be utterly ignored... unless there are machines within the OU. Then, the policy will be applied to the LOCAL user accounts in the machines in the OU.
            What if i have a seperate site with its own OU with its DC in this OU.
            How will the replication accure in such an instance.

            I will have 2 or more DC's in different OU's with a slightliy different domain controller policy.
            I guess the problem is that the users are all replicated and shared among all DC's.
            Is the Policy that applied to the PDC enforces all?

            thanks

            Comment


            • #7
              Re: Account lockout duration For Specific User

              'DC' stands for Domain controler. All DC's in one domain contains a copy of the same accounts database. And MUST have the same acount policies.

              Make different domains instead of different sites, then you can set different account policies for each domain.

              \Rem

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment

              Working...
              X