Dec 14, 2010

Local Admin Account vs. account lockout

You can't really lock out an admin account - as long as you type in the correct password on *local console*, the system will unlock it automatically. This makes sense - legit users need a way to get into the system when all other credentials are failing - completely locking out all users surely won't make happy customers.

However this increases the risk of being cracked by brutalforce method. For companies who want to maximize the security and are willing to pay the cost of losing acceess due to lost passswords, there is a way to put admins under same lockout policy as ordinary users. MS has an old tool called passprop.exe that can enforce lockout policy, even against admins.

        passprop /adminlockout

This is no longer needed in Windows 2008. There are pre-define security polices in Windows 2008 will do the same.