Access Denied: Applying a Domain Lockout Policy to Win2K's Built-In Administrator Account

[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!]

The Microsoft Windows NT Server 4.0 Resource Kit contains the Passprop tool, which I can run with the /adminlockout switch on an NT PDC to subject the built-in Administrator account to our domain's lockout policy (which locks an account after repeated logon attempts with a bad password). I need to protect our Windows 2000 Administrator account in the same way, but Passprop doesn't work with Win2K. What should I do?

You need to set the domain's PwdProperties property in Active Directory (AD). PwdProperties is an unsigned long numeric that, bit by bit, is home to several true/false policies, most of which you can configure under the Default Domain Policy Group Policy Object's (GPO's) Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword Policy folder. For example, the DOMAIN_PASSWORD_COMPLEX setting, which you can configure through a GPO's Passwords must meet complexity requirements policy, occupies PwdProperties' first bit. DOMAIN_LOCKOUT_ADMINS, which is the policy you need to set, occupies the eighth bit of PwdProperties but has no corresponding GPO-based setting. Therefore, you must configure this policy through Active Directory Service Interfaces (ADSI) and VBScript.

Create a file and name it EnableAdminLockout.vbs to contain the code that Listing 1, page 10, shows. (Replace the sample domain name, example.com, with your domain name.) To run the script, open a command line on a domain controller (DC) and type

wscript EnableAdminLockout.vbs

Running the script toggles DOMAIN_LOCKOUT_ADMINS on or off. The change takes effect immediately and doesn't interfere with any policies you configure through GPOs (and vice versa).

To check the current value of DOMAIN_LOCKOUT_ADMINS, create a file and name it CheckAdminLockout.vbs to contain the code that Listing 2 shows (again, replace example.com with your domain name). Run the script to display a pop-up message that informs you of the policy's status.

After you enable a lockout policy for your domain and turn on DOMAIN_LOCKOUT_ADMINS, test your changes. From a domain workstation, try to use the domain's built-in Administrator account with a bad password to map a drive to any other computer in the domain. Keep repeating the process with a different bad password until you receive the message System error 1909 has occurred. The referenced account is currently locked out and may not be logged on to. (You need to change the password each time because evidently the workstation won't try to log on to the server with a password the workstation knows is bad.) At this point, the Administrator account is locked out for network logons. As a failsafe against someone locking you out of your domain, however, Win2K still permits you to log on interactively with the Administrator account and the correct password. A successful interactive logon as Administrator automatically unlocks the account.