# Prevent Admin account lockouts



## MordyT (Oct 9, 2007)

Hi there,
Doing a project for a non-profit educational institution and we having an issue.

Running on Server2003 SBS. Policy is to lockout a account until manually unlocked after 5 failed attempts.

There is a concern that a person will deliberately lock out all the admin accounts in the domain. Short of having a hidden account that we will be able to login with, is there a way to prevent admin accounts from being locked until unlocked?

Thanks,
Mordy


----------



## jmwills (Sep 28, 2005)

How would they know the name of the admin accounts?


----------



## DoubleHelix (Dec 10, 2004)

You're describing a personnel problem, not a technical one. Allow the person to lock out all accounts over and over and over until their supervisor gets sick of it. 

Walmart employees are given full access to a drawer full of cash. There's always the chance they'll empty it into their pockets. That's not a problem with the cash register.


----------



## MordyT (Oct 9, 2007)

jmwills said:


> How would they know the name of the admin accounts?


Look in AD? I think I could attempt to add a network printer, do a search, switch from printers to users, add the x500 in, and search for all users and then lockout all admins.



DoubleHelix said:


> You're describing a personnel problem, not a technical one. Allow the person to lock out all accounts over and over and over until their supervisor gets sick of it.
> 
> Walmart employees are given full access to a drawer full of cash. There's always the chance they'll empty it into their pockets. That's not a problem with the cash register.


a) Working for a non-profit school, there is no person to fire (just kick out of the lab, but that is reactive, we are trying to be proactive).

b) once all the accounts are locked out someone will need to go to the dc and login with console admin and unlock it. PITA.

c) Walmart has security cameras in place to catch someone, we don't. I can lockout an account without a trace of who I am, just what PC I used.


----------

