General discussion


Do not lock out administrative accounts

By Aaron_Wurthmann ·

Here is the situation. I have a large domain with over 4000 users. There are several services that need to run as a domain user, for example Cluster Services, Backup Services, etc. Of course I do not want to run these all as domain administrator and of course some of them do not need to be domain admins. HOWEVER, I do not want theses accounts to be easily locked out based on the current password policy setting (for example lets say it is 3 mistyped password and the account is locked out) while at the same time retaining these strict password policies for the rest of my users.

What I have tried/read:
Well, first off I read/heard/tried that you can not apply password policies at the OU level. They must be set on the domain level. So here is what I have done, all of these service accounts get put into a created group called "My Service Account Group". A GPO is created at the domain level, "Authenticated Users" is removed from the security tab and "My Service Account Group" is added and given the "Apply Policy" permissions. This GPO does not have the strict lock out policy but instead has a policy that says the account passwords must be over 12 characters. (after all, if I am removing lock outs for these account I better make sure their passwords are harder to crack). The created policy is moved to the top pf the GPO list on the domain container. Then on the normal "domain default" policy the "My Service Account Group" is denyed the "Apply this policy" right.

So that all sounds right and yet that isn't working. What am I doing wrong, what am I missing?

Things to note: The domain is not in native mode. The domain is not the forest head but it is the domain that all the users accounts are in.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by shmaltz In reply to Do not lock out administr ...

You are right you can't apply more than one Account policy in a domain. However since the account policy is a computer setting and not a machine setting, I think that it might work if you do not apply this policy to the machine that has to run this service. I say "i think" since I'm not sure if this will work, becuase from what I understand it is the Default Domain Policy that defines the account policy, so I'm not sure if this will work or not. Microsft has another solution which I'm not sure is practical for you, since you are running such a large domain. But if you do follow this make sure (for security reasons) that these accounts are local. The KB Article # is: 255550 and can be found at (remove spaces):;en-us;255550
Hope this helps.

Related Discussions

Related Forums