Announcement

Collapse
No announcement yet.

How can setup exception "Account lockout threshold" to non-admin user ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How can setup exception "Account lockout threshold" to non-admin user ?

    In gpedit.msc/account lockout policies, we can setup "Account lockout threshold" to all users except administrators
    I have some non-admin users (for example Power Users) that are used for stop/start Windows services and I don't want to apply "Account lockout threshold" to these users (but apply for another). Can Windows 2003 support that way ?

    Thanks

  • #2
    Re: How can setup exception "Account lockout threshold" to non-admin user ?

    Officially not, as password/lockout policies are applied to all users at domain level.

    But you can work around it by having multiple policies (at the domain) and using security filtering (deny read is the normal way) to prevent a policy being applied.
    http://www.microsoft.com/resources/d....mspx?mfr=true

    Two issues -- your admins may not be able to read/edit the policy if they are denied access
    It is said filtered policies are slower to apply because all group memberships need to be checked (note I have never found confirmation of this -- can anyone give me a definitive source, i.e. not just another forum post, to confirm it?)
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: How can setup exception "Account lockout threshold" to non-admin user ?

      What a pity I don't use domain, my server is stand alone. But any way, thanks very much for your support.

      Comment


      • #4
        Re: How can setup exception "Account lockout threshold" to non-admin user ?

        OK, vital piece of missing information -- when you mentioned gpedit (Group Policy editor) I naturally assumed a domain

        For local policy, I don't think there is any way of filtering. Server 2008, on the other hand, has multiple local policies for exactly your circumstances
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment

        Working...
        X