My experience with this is.... the default ADMINISTRATOR can be locked out (wait before shouting!) what I mean is that if you have a lockout threshold of lets say 5, the lockoutTime attribute will show the lockout date and time the account was locked. In ADUC (using another custom admin account for example) you will see the default ADMINISTRATOR is locked.... you will even see and event ID 644 mentioning the account lockout HOWEVER.... here it comes... while the default ADMINISTRATOR is locked, it will unlocked automatically by the SYSTEM (DC) AS SOON AS the correct password is used (even before it is unlocked after the unlock period) jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address>
________________________________
From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Tue 2006-07-18 20:27
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] root admin account able to be locked out?
Hi AD Gurus!
We have penetration testing going on and I saw a security event log entry
that showed our root admin account getting locked out. I was surprised because
I thought this account could never get locked out. In addition, we had a
scheduled job that runs under the credentials of this root account that ran
successfully a couple of minutes *after* the supposed account was locked. (We
have the standard 30 minute lockout time.) I think the reason that this
happened was that the penetration testing really didn't lock out the root
account but did lockout the local SID 500 account that exists on all servers
(including domain controllers). This is my belief. My officemate says there
is no such account on a DC and that the root account could have been locked out
for a short period of time but then made active again when AD saw what the
account was or that the security log entry is just bogus. Can someone offer a
little insight into this (nope, no dinners or cash riding on this debate!).
Thanks much!
Mike Thommes
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
<<winmail.dat>>
