The by default the administrator account can not be locked out, but there is a utility called passprop from the NT 4 resource kit that will allow you to set the admin account up so it can be locked out
************************************************************************ ********* PASSPROP [/complex] [/simple] [/adminlockout] [/noadminlockout] /complex Force passwords to be complex, requiring passwords to be a mix of upper and lowercase letters and numbers or symbols. /simple Allow passwords to be simple. /adminlockout Allow the Administrator account to be locked out. The Administrator account can still log on interactively on domain controllers. /noadminlockout Don't allow the administrator account to be locked out. ************************************************************************ *************** -----Original Message----- From: Craig Cerino [mailto:[EMAIL PROTECTED]] Sent: Monday, September 23, 2002 9:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble I was just replying to the statement of it "can't" happen. I just don't want folks on the list to see that --- then if they come across it start bombarding you with emails stating "Rick - you said the administrator account couldn't get locked out" I haven't asked this list for help on this issue mainly because this type of situation is not "supposed" to happen. I know it's my cross the carry so I didn't want to weigh the group down. -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, September 23, 2002 9:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Craig, I don't doubt you that you've seen it. I can only tell you from MY experience and my education. I, to this day have not seen it - but do not doubt YOU that you've seen it. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Cerino > Sent: Monday, September 23, 2002 7:36 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Admin Account Trouble > > > Rick -- that's what I thought but I am here to tell you the built in > administrator account can ABSOLUTELY become locked out. > > I see it all the time. One of our smaller separate networks > (built in) Administrator account gets locked out all the time. > > It's actually pretty weird and I've been working for a while > now trying to figure out WHY this is happening. > > Craig > > > > > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 20, 2002 8:48 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Admin Account Trouble > > Craig, > > Can't happen - the Administrator account can't be locked out. > Which, if you think about it is the reason that it's > attacked over any other potential admin equivalent account. > If the account 'Rick' is an admin equiv but has a lockout of > 3 attempts, I may as well go after the Administrator who > won't lockout even though I'm going after it with a full > onslaught brute force dictionary attack with my mongo > dictionary with all possible replacement text. By open of > business Monday the administrator account has taken on > millions of password attempts. > > Yeah, it's kind of a small problem. > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > Microsoft Certified Trainer > MCSA, MCSE+I - Windows NT / 2000 > > "Any sufficiently advanced technology > is indistinguishable from magic." > --- Arthur C. Clarke > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > Craig Cerino > > Sent: Friday, September 20, 2002 12:16 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Admin Account Trouble > > > > > > I REALLY don't mean to be insulting -- but is it locked out? > > > > -----Original Message----- > > From: Michael Payne [mailto:[EMAIL PROTECTED]] > > Sent: Friday, September 20, 2002 12:43 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Admin Account Trouble > > > > Hello Everyone, > > > > My administrator account (Windows 2000 server) can not access the > > group policies for the Domain\ Domain Controller. I can not install > > software nor does the hardware wizard respond. Any ideas or > > suggestions? I would appreciate any advice. > > > > Thanks in advance, > > > > > > Mike > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/