Sign in with
Sign up | Sign in
Your question

Exclude Admin account from Account Locked out policy

Last response: in Windows 2000/NT
Share
April 28, 2004 2:30:24 PM

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Does anyone know if we can exclude Administrator account from Locked Out
account policy on NT domain? I have Account Policy to lock out the account
after bad 5 attempt, but the problem is that it also locked out the
Administrator account. Is there a way to exclude Admin account from it?

I have checked Password Never Expired and/or User Cannot change password,
but it doesn't make any differences.

Thanks
Anonymous
May 5, 2004 11:56:06 PM

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Security measures such as a password policy are domain level functions and cannot be divided up in a single domain. So no, you cannot do that.
May 7, 2004 12:25:24 AM

Archived from groups: microsoft.public.windowsnt.domain (More info?)

The domain administrator account does not have a lockout policy under NT 4.
You can use the PASSPROP utility from the NT Resource Kit to enable a
lockout when the use is from the network side and not from the console.
PASSPROP will never let you lockout from the console.

It sounds like someone very appropriately used PASSPROP to enable the
lockout. We see password guessing attempts after hours occasionally from
soon-to-be-ex security guards trying to browse the Internet.

You really should not undo it.

Ray

"Louis Jones" <ljones@qcsinet.com> wrote in message
news:5770A718-D934-4DF8-B2F7-83C1E0361CDE@microsoft.com...
> Security measures such as a password policy are domain level functions and
cannot be divided up in a single domain. So no, you cannot do that.
!