Re: Policy enforcement- Admin accounts

["mgk.mailing" <mgk.mailing () googlemail com>]

WALI wrote:
> In an active directory environment (windows 2003), I want to ensure 
> lockout for administrator accounts also, in order to protect against 
> attempts to brute force account password. The flipside is, we might 
> have a DoS situation but I can live with it. Is there a tool I can 
> deploy to ensure that admin account also locks out after certain no. 
> of attemps?
>
> Also, ONLY for admin accounts, I want to enforce certain settings 
> like: Password should contain atleast 15 characters, should not 
> contain a dictionary word etc.
> My normal password policy for AD user accounts, set at the domain 
> level is a minimum of 8 chars but I want to deploy this special policy 
> of 15 chars minimum for admin accounts.
>
> How should I go about this?
sounds like you want to create to group policy objects.  one a standard 
for the domain and one for the administrators.  Personally I'd do this 
by putting the administrative users in an OU called admin for instance 
and creating a personalised GPO and apply it to that OU.  Then create a 
standard one and apply that to the domain

I'm not sure if it will restrict the use of including words within the 
passphrase however iirc it will restrict them from using part of their 
username etc. 

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx

has more details.

I would suggest testing the strength of account passwords yourself.  I 
used to run a password cracker at my old workplace, got some choice 
passwords and to be honest if you go to a user and show them how easy it 
is to guess "asdfgh" etc they often respond.

hope that helps.

mgk