Forum Discussion

Tien Ngo Thanh's avatar
Tien Ngo Thanh
Iron Contributor
Aug 28, 2019

How to configure account lockout policy ?

How to configure account lockout policy ? Can create another policy and configure lockout ? or must configure Default Domain Policy ?

  • HidMov's avatar
    HidMov
    Steel Contributor

    Hi Tien Ngo Thanh 

     

    Yes, you can have more than one account lock out policy. This is called Fine-Grained Password policy.

     

    You must have at least Server 2008 and a domain functional level of 2008.

     

    These two links show you how to set this up.

     

    https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/

     

    https://blog.netwrix.com/2016/03/03/how-to-set-up-multiple-password-and-account-lockout-policies/

     

    Thanks,

    Mark

     

     

    • Tien Ngo Thanh's avatar
      Tien Ngo Thanh
      Iron Contributor

      Hi

          please recommend help me about these service account and these account fixed in program , if they know these user and try login failure some time then these account will lockout then will effect to our program will lost connect to active directory but if no lockout then will can brute force password

      Best Regards,

      Thanks

      • HidMov's avatar
        HidMov
        Steel Contributor

        Hey Tien Ngo Thanh 

         

        There are a few options:

         

        You can look at Managed Service Accounts (MSAs) and see if they fit your requirements. They act like computer accounts - you don't have to manually manage the passwords going forward. They cannot be locked out, but you also cannot log on interactively with a MSA.

         

        There are a few requirements for Managed Service account - it can't be shared by multiple computers or used in server clusters, needs Server 2008 R2 etc.

         

        There are also Group Managed Service Accounts (gMSA's) - these run on the same principle but have much better functionality, can be used on multiple computers, support more applications etc. More information can be found here:

         

        https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview

         

        If you cannot implement MSA or gMSA because it doesn't fit your needs, then you may have to deal with service accounts. A couple of best practices I've noted are:

         

        • One unique account to run the service on each server
        • Try to use local account rather than a global domain account
        • Strong, random password
        • Change the password - this will also mean you need to change it on the service/application
        • Give the account least amount of permissions it requires
        • Do not share the password

         

        This will be more work your side, but at least your environment will be somewhat secure.

         

        Hope this helps,

        Mark

Resources