hi, This can be useful: > > General Recommendations for Account Lockout and Password Policy > Settings > > In addition to the specific account lockout and password policy > settings in the previous tables, there are some other configuration > changes that may help you achieve the level of security that you want. > These include: > > * When you enable account lockout, set the *ForceUnlockLogon* > registry value to 1. This setting requires that Windows > re-authenticates the user with a domain controller when that > user unlocks a computer. This helps to ensure that a user cannot > use a previously-cached password to unlock their computer after > the account is locked out. > * False lockouts can occur if you set the *LockoutThreshold* > registry value to a value that is lower than the default value > of 10. This is because users and programs can retry bad > passwords frequently enough to lock out the user account. This > adds to administrative costs. > * After you unlock an account that is locked out, verify that the > *LockoutDuration* value is set. You should do this because the > value may have changed during the account unlock process. > * Carefully consider setting the *LockoutDuration* registry value > to 0. When you apply this setting, you may incur additional > administrative labor by requiring administrators to manually > unlock a locked out user account. Although this does increase > security, the increased labor drawback may outweigh the security > benefit. > * Define account lockout and password policies once in every > domain. Ensure that these policies are defined only in the > default domain policy. This helps to avoid conflicting and > unexpected policy settings. > * Unlock an account from a computer that is in the same Active > Directory site as the account. By unlocking the account in the > local site, urgent replication occurs in that site which > triggers immediate replication of the change. Because of this, > the user account should be able to regain access to resources > faster than waiting for replication to occur. Note that the > AcctInfo.dll tool helps to identify an appropriate domain > controller and unlock the account. For more information about > AcctInfo.dll, see the "Account Lockout Tools" section in this > document. >
check this [1]. (see "Recommended Password Policy Settings") [1] http://technet.microsoft.com/en-us/library/cc737614(WS.10).aspx Best regards! pent 5971 escribió: > Any ideas/best practices? > > Regards > > 2009/8/20, pent 5971 <[email protected]>: > >> Hi, >> I have an important Windows 2003 box which we are using only a admin >> account actively. I also need to set a password policy (i have some >> requirements) on this box and dont loose the admin account acces. How >> can i do this password policy? >> >> Regards >> >> > >
