How to Configure Active Directory to Exclude Specific Accounts from Lockout Policies in Windows Server 2003/2008 Environments


10 views

Active Directory's default lockout policy applies globally, but we often need exceptions for service accounts or admin accounts. On Server 2003 and 2008 (which still exist in many legacy environments), the configuration differs slightly from modern AD versions.

For Server 2008 DCs, you can use Fine-Grained Password Policies (FGPP):


# PowerShell for Server 2008+
New-ADFineGrainedPasswordPolicy -Name "NoLockoutPolicy" 
    -Precedence 100 
    -LockoutDuration "00:00:00" 
    -LockoutObservationWindow "00:00:00" 
    -LockoutThreshold 0 
    -ProtectedFromAccidentalDeletion $true

Add-ADFineGrainedPasswordPolicySubject -Identity "NoLockoutPolicy" -Subjects "CN=ServiceAccount,OU=Services,DC=domain,DC=com"

Since Server 2003 doesn't support FGPP, we need alternative approaches:


' VBScript for Server 2003
Const ADS_PROPERTY_APPEND = 3
Set objUser = GetObject("LDAP://CN=ServiceAccount,OU=Services,DC=domain,DC=com")
objUser.PutEx ADS_PROPERTY_APPEND, "userAccountControl", Array(65536) 'DONT_EXPIRE_PASSWORD flag
objUser.SetInfo

When implementing these exceptions:

  • Apply to service accounts only, not regular user accounts
  • Combine with complex passwords (minimum 25 characters)
  • Monitor authentication attempts via Event IDs 4771 and 4625

Create a custom audit policy for excluded accounts:


# PowerShell audit script
$excludedAccounts = Get-ADUser -Filter {Enabled -eq $true} -Properties UserAccountControl |
    Where-Object {$_.UserAccountControl -band 65536}

$excludedAccounts | ForEach-Object {
    $lastLogon = [datetime]::FromFileTime($_.LastLogonTimestamp)
    if ((Get-Date).Subtract($lastLogon).TotalDays -gt 30) {
        Write-Warning "$($_.SamAccountName) hasn't logged in for 30+ days"
    }
}

Account lockout is a security feature in Active Directory that protects against brute-force attacks by locking user accounts after a specified number of failed login attempts. While this is generally good security practice, there are legitimate cases where you might want to exempt certain service accounts or privileged users from this policy.

For Server 2008 and later domains, you can implement Fine-Grained Password Policies (FGPP):

# PowerShell example to create FGPP for non-locking accounts
New-ADFineGrainedPasswordPolicy -Name "NoLockoutPolicy" 
    -Precedence 100 
    -LockoutThreshold 0 
    -LockoutDuration "00:00:00" 
    -LockoutObservationWindow "00:00:00"
    
# Apply to specific users
Add-ADFineGrainedPasswordPolicySubject -Identity "NoLockoutPolicy" -Subjects "svc_sql","admin_john"

Since Server 2003 doesn't support FGPP, we need alternative approaches:

' VBScript to modify lockout threshold for specific accounts
Set objUser = GetObject("LDAP://CN=svc_backup,OU=ServiceAccounts,DC=domain,DC=com")
objUser.Put "lockoutThreshold", 0
objUser.SetInfo

When implementing these solutions, consider:

  • Security implications of disabling lockout
  • Audit requirements for exempted accounts
  • Documentation of policy exceptions
  • Monitoring for suspicious activity

For highly privileged accounts, consider implementing smartcard authentication instead of disabling lockout:

# Enable smartcard required for specific account
Set-ADUser -Identity admin_john -SmartcardLogonRequired $true