GPO Review - Computer Configuration - Windows Settings - Account Policies

kcnychief

kcnychief

??? ??? ?
Political Access
Joined
8 Apr 2005
Messages
16,950
It's that time of week again. It's getting a bit hard to do this because of time constraints, but for the sake of learning, I tread on....

This week, open for discussion is Account Policies. I have attached only a screenshot of the main root, as I didn't want to suck up too much of my space.

Here is how mine breaks down, LMK your thoughts:

Password Policy:
Enforce Password History - Mine is set to a history of 5
Maximum Password Age - 60 days
Minimum Password Age - 15 days
Minimum Password Lenght - 8 characters
Password must meet complexity requirements - Enabled
Store Passwords Using reversible encryption - Disabled *

Account Lockout Policy:
Account Lockout Duration: 15 minutes
Account Lockout Threshold: 8 invalid logon attempts
Reset account lockout counter after: 30 minutes

Kerberos Policy:
Enforce user logon restrictions: not configured*
Maximum lifetime for service ticket: not configured*
Maximum lifetime for user ticket: not configured*
Maximum lifetime for user ticket renewal: not configured*
Maximum tolerance for computer clock synchronization: not configured*

Any description that has an * next to it, means I don't have a full-understanding of it. I am doing this all self-taught, and just haven't explored that area yet. Other input is welcome and appreciated. Thanks
 

Attachments

  • actpol.jpg
    actpol.jpg
    39.7 KB · Views: 2,465
Kerberos should be defined at the domain level (Default Domain Policy) by default. There is no need to set this up in other GPO's.

As for my settings.

6 passwords remembered
30 day password age (max)
15 day password age (min)
Minimum password length is 8
Password must meet complexity requirements - yes

Account lockout duration - 30 minutes
Account lockout threshold - 3
Reset account lockout counter after - 30 minutes
 
madmatt said:
Kerberos should be defined at the domain level (Default Domain Policy) by default. There is no need to set this up in other GPO's.
Click to expand...

Were you just using an example? I thought it was bad practice to use a GPO named "Default Domain Policy".
 
That's what I named my default domain policy. I don't know how it could be considered bad practice, but I suppose that is open to interpretation.

At some point some wise man told me, "keep it simple stupid".
 
I agree with matt. You definitely don't want to set your account lockout policy to more than 3 times -- it gives hackers too many attempts to get into your system. If a user can't remember/type correctly their password after 3 times, then they need to have it reset anyways :)
 
fimchick said:
I agree with matt. You definitely don't want to set your account lockout policy to more than 3 times -- it gives hackers too many attempts to get into your system. If a user can't remember/type correctly their password after 3 times, then they need to have it reset anyways :)
Click to expand...

I agree, and I'm sure 3-5 is more commonly used, but the environment where I enforce that policy has some people that aren't very intelligent and they need to have time to turn off the caps lock, turn on the num lock etc.
 
You don't, by chance, work for the government do you??? :D

I do, and it sure sounds like you're describing my users! lol
 
fimchick said:
You don't, by chance, work for the government do you??? :D

I do, and it sure sounds like you're describing my users! lol
Click to expand...

I plead the 5th :eek:
 
You must log in or register to reply here.

Members online

No members online now.
Total: 117 (members: 0, guests: 117)

Affiliates

lunarsoft.net techzonez.com

- Contact us to trade links -

OSNN OSNN NTFS XP-erience

Latest profile posts

Steevo
Steevo
Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
•••
Steevo
Steevo
Any of the SP crew still out there?
•••
Xie
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
•••
N
Nismo83
hello peeps... is been some time since i last came here.
•••
Electronic Punk
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
•••

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back