Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

don't want service accounts locked out

0 views
Skip to first unread message

Tom McComb

unread,
Jun 19, 2002, 12:10:22 PM6/19/02
to
Ok, all. Let's see if I can state my issue clearly. Our current security
policy includes having account lockouts after 3 bad password attempts, and
the usual Strong Password Policy (per MS instructions installing the
passfilt.dll). And while it can sometimes be a pain the neck, all seems to
work reasonably well (except, of course, when I lock myself out after
changing my own password :) Problem is, I have a few "service" accounts
that I need to make sure do NOT get locked out. Stuff that runs some
internal apps, etc. I've tried the "user cannot change password" and
"password never expires", and myself and the other net admin here originally
thought that would do it. Apparently, we're wrong.

Any ideas how I can keep our current lockout policy, *and* make sure those
service accounts don't get locked out?

TIA,

Tom McComb


David Dickinson [MVP]

unread,
Jun 19, 2002, 2:41:36 PM6/19/02
to

Any ideas about why the service accounts are failing logon in the first
place?

You might try OUs and associated GPOs for the accounts used for those
services, but that still would be only a workaround for the lockout and
wouldn't fix the underlying problem.

--
David Dickinson, MVP (Security)
EveningStar Information Services
Las Cruces, NM USA

Summary of Microsoft Security Bulletins
http://www.zianet.com/bwd/securitybulletins.asp

Tom McComb

unread,
Jun 19, 2002, 10:47:05 PM6/19/02
to
>
> Any ideas about why the service accounts are failing logon in the first
> place?

Nope, not entirely sure of that either. It just caught us by surprise when
it did happen. I suspect that one of our developers is using the account to
log into some internal apps, and may have gotten the password wrong.
(Personnel issue there. If we catch him, he shall be promptly flogged and
forced to eat spam. The food, not the electronic type :)

Mayhaps I'll check the rights of the account in question - make sure log on
interactively is turned off.

Unfortunately, we're still using an NT4 domain model, so the OU idea won't
quite work.

T

> You might try OUs and associated GPOs for the accounts used for those
> services, but that still would be only a workaround for the lockout and
> wouldn't fix the underlying problem.
>
> --
> David Dickinson, MVP (Security)
> EveningStar Information Services
> Las Cruces, NM USA
>
> Summary of Microsoft Security Bulletins
> http://www.zianet.com/bwd/securitybulletins.asp
>
>
>

"David Dickinson [MVP]" <e...@no-spam.softhome.net> wrote in message
news:u$#GXD8FCHA.2180@tkmsftngp10...

0 new messages