The by default the administrator account can not be locked out, but
there is a utility called passprop from the NT 4 resource kit that will
allow you to set the admin account up so it can be locked out
************************************************************************
*********
PASSPROP [/complex] [/simple] [/adminlockout] [/noadminlockout]
/complex Force passwords to be complex, requiring
passwords
to be a mix of upper and lowercase letters and
numbers or symbols.
/simple Allow passwords to be simple.
/adminlockout Allow the Administrator account to be locked
out.
The Administrator account can still log on
interactively on domain controllers.
/noadminlockout Don't allow the administrator account to be
locked
out.
************************************************************************
***************
-----Original Message-----
From: Craig Cerino [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 23, 2002 9:59 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Admin Account Trouble
I was just replying to the statement of it "can't" happen. I just don't
want folks on the list to see that --- then if they come across it start
bombarding you with emails stating "Rick - you said the administrator
account couldn't get locked out"
I haven't asked this list for help on this issue mainly because this
type of situation is not "supposed" to happen. I know it's my cross the
carry so I didn't want to weigh the group down.
-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 23, 2002 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Admin Account Trouble
Craig,
I don't doubt you that you've seen it. I can only tell you from MY
experience and my education. I, to this day have not seen it - but do
not doubt YOU that you've seen it.
Rick Kingslan - Microsoft MVP [Windows NT/2000]
Microsoft Certified Trainer
MCSA, MCSE+I - Windows NT / 2000
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Cerino
> Sent: Monday, September 23, 2002 7:36 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Admin Account Trouble
>
>
> Rick -- that's what I thought but I am here to tell you the built in
> administrator account can ABSOLUTELY become locked out.
>
> I see it all the time. One of our smaller separate networks
> (built in) Administrator account gets locked out all the time.
>
> It's actually pretty weird and I've been working for a while
> now trying to figure out WHY this is happening.
>
> Craig
>
>
>
>
>
> -----Original Message-----
> From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
> Sent: Friday, September 20, 2002 8:48 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Admin Account Trouble
>
> Craig,
>
> Can't happen - the Administrator account can't be locked out.
> Which, if you think about it is the reason that it's
> attacked over any other potential admin equivalent account.
> If the account 'Rick' is an admin equiv but has a lockout of
> 3 attempts, I may as well go after the Administrator who
> won't lockout even though I'm going after it with a full
> onslaught brute force dictionary attack with my mongo
> dictionary with all possible replacement text. By open of
> business Monday the administrator account has taken on
> millions of password attempts.
>
> Yeah, it's kind of a small problem.
>
> Rick Kingslan - Microsoft MVP [Windows NT/2000]
> Microsoft Certified Trainer
> MCSA, MCSE+I - Windows NT / 2000
>
> "Any sufficiently advanced technology
> is indistinguishable from magic."
> --- Arthur C. Clarke
>
>
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]] On Behalf Of
> Craig Cerino
> > Sent: Friday, September 20, 2002 12:16 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Admin Account Trouble
> >
> >
> > I REALLY don't mean to be insulting -- but is it locked out?
> >
> > -----Original Message-----
> > From: Michael Payne [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, September 20, 2002 12:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] Admin Account Trouble
> >
> > Hello Everyone,
> >
> > My administrator account (Windows 2000 server) can not access the
> > group policies for the Domain\ Domain Controller. I can not install
> > software nor does the hardware wizard respond. Any ideas or
> > suggestions? I would appreciate any advice.
> >
> > Thanks in advance,
> >
> >
> > Mike
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> >
> > List info :
> > http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> >
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
