GPO Review - Computer Configuration - Windows Settings - Account Policies

Discussion in 'Windows Server Systems' started by kcnychief, Jul 21, 2005.

  1. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    It's that time of week again. It's getting a bit hard to do this because of time constraints, but for the sake of learning, I tread on....

    This week, open for discussion is Account Policies. I have attached only a screenshot of the main root, as I didn't want to suck up too much of my space.

    Here is how mine breaks down, LMK your thoughts:

    Password Policy:
    Enforce Password History - Mine is set to a history of 5
    Maximum Password Age - 60 days
    Minimum Password Age - 15 days
    Minimum Password Lenght - 8 characters
    Password must meet complexity requirements - Enabled
    Store Passwords Using reversible encryption - Disabled *

    Account Lockout Policy:
    Account Lockout Duration: 15 minutes
    Account Lockout Threshold: 8 invalid logon attempts
    Reset account lockout counter after: 30 minutes

    Kerberos Policy:
    Enforce user logon restrictions: not configured*
    Maximum lifetime for service ticket: not configured*
    Maximum lifetime for user ticket: not configured*
    Maximum lifetime for user ticket renewal: not configured*
    Maximum tolerance for computer clock synchronization: not configured*

    Any description that has an * next to it, means I don't have a full-understanding of it. I am doing this all self-taught, and just haven't explored that area yet. Other input is welcome and appreciated. Thanks
     

    Attached Files:

  2. ming

    ming OSNN Advanced

    Messages:
    4,252
    Location:
    UK
    Nice...
     
  3. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Thanks, glad you liked it. This is only the beginning....anything to add?
     
  4. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    Kerberos should be defined at the domain level (Default Domain Policy) by default. There is no need to set this up in other GPO's.

    As for my settings.

    6 passwords remembered
    30 day password age (max)
    15 day password age (min)
    Minimum password length is 8
    Password must meet complexity requirements - yes

    Account lockout duration - 30 minutes
    Account lockout threshold - 3
    Reset account lockout counter after - 30 minutes
     
  5. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Were you just using an example? I thought it was bad practice to use a GPO named "Default Domain Policy".
     
  6. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    That's what I named my default domain policy. I don't know how it could be considered bad practice, but I suppose that is open to interpretation.

    At some point some wise man told me, "keep it simple stupid".
     
  7. fimchick

    fimchick OSNN Senior Addict

    Messages:
    276
    Location:
    Somewhere
    I agree with matt. You definitely don't want to set your account lockout policy to more than 3 times -- it gives hackers too many attempts to get into your system. If a user can't remember/type correctly their password after 3 times, then they need to have it reset anyways :)
     
  8. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I agree, and I'm sure 3-5 is more commonly used, but the environment where I enforce that policy has some people that aren't very intelligent and they need to have time to turn off the caps lock, turn on the num lock etc.
     
  9. fimchick

    fimchick OSNN Senior Addict

    Messages:
    276
    Location:
    Somewhere
    You don't, by chance, work for the government do you??? :D

    I do, and it sure sounds like you're describing my users! lol
     
  10. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I plead the 5th :eek: