Account Lockout Duration catch 22?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

If I set Account Lockout Duration to 0 requiring an admin to unlock IDs…. What happens if all the admin accounts get locked? A malicious user, password-guessing worm, or even an admin running a security scanner that checks password of all the IDs in the domain, could do the trick. Am I correct in thinking that if this happens in a root domain it would be time to start over and completely rebuild?
 
If I set Account Lockout Duration to 0 requiring an admin to unlock IDsâ?¦.
What happens if all the admin accounts get locked? A malicious user,
password-guessing worm, or even an admin running a security scanner
that checks password of all the IDs in the domain, could do the trick.
Am I correct in thinking that if this happens in a root domain it would
be time to start over and completely rebuild?
Click to expand...

If I recall correctly the main administrator account can't be locked out.
Yes, you can check the box, but it doesn’t actually do anything.
 
Yep I believe that the built-in administrator will always be able to log in
at the console of a DC. I'm not sure if network access to it gets blocked
when the account is 'locked' (now I'm curious... can anyone confirm? :))
 
I've never had it locked...
I just tested on my Win2k server --- Administrator didn't get locked out.
The only time the account was locked out for invalid attempts was a) Remote
Desktop, or b) manually setting lock...
 
Thanks for the responses..
So there is some magic in the "Administrator" account that was created during the install? Just like the way that ID can forcibly take ownership of files. I’m assuming that would I be correct in saying that it is really that ID’s SID that has the magic power and the name doesn’t matter, (like in all other ways), yes
 
Yes the built in administrator account has a fixed sid and it can not be locked out
ever to console logon, be disabled, expire, or removed from the administrators group.
In W2003/XP it can actually be disabled except for safe mode logon. --- Steve


CG said:
Thanks for the responses...
So there is some magic in the "Administrator" account that was created during the
Click to expand...
install? Just like the way that ID can forcibly take ownership of files. I'm
assuming that would I be correct in saying that it is really that ID's SID that has
the magic power and the name doesn't matter, (like in all other ways), yes?
 
Back
Top