Exclude Admin account from Account Locked out policy

[sing]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Does anyone know if we can exclude Administrator account from Locked Out
account policy on NT domain? I have Account Policy to lock out the account
after bad 5 attempt, but the problem is that it also locked out the
Administrator account. Is there a way to exclude Admin account from it?

I have checked Password Never Expired and/or User Cannot change password,
but it doesn't make any differences.

Thanks

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Security measures such as a password policy are domain level functions and cannot be divided up in a single domain. So no, you cannot do that.

 

[ME]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

The domain administrator account does not have a lockout policy under NT 4.
You can use the PASSPROP utility from the NT Resource Kit to enable a
lockout when the use is from the network side and not from the console.
PASSPROP will never let you lockout from the console.

It sounds like someone very appropriately used PASSPROP to enable the
lockout. We see password guessing attempts after hours occasionally from
soon-to-be-ex security guards trying to browse the Internet.

You really should not undo it.

Ray

"Louis Jones" <ljones@qcsinet.com> wrote in message
news:5770A718-D934-4DF8-B2F7-83C1E0361CDE@microsoft.com...
> Security measures such as a password policy are domain level functions and
cannot be divided up in a single domain. So no, you cannot do that.