Administrator 帳戶不會被鎖定的原因

Administrator 並沒有特權可以防止PWD policy 的套用, 而下列資料表達的是:

-> 預設狀況下Administrator 帳戶不會被”真的”鎖定是由於pwdProperties這個值預設是1 – (Passwords must be complex, and the administrator account cannot be locked out).

-> 所以也就是說沒有文件提到Administrator 這個帳戶有特權, 主因是由於pwdProperties這個值在控制。

-> 所以Administrator account 是可以被鎖定的囉? 是的! 可以透過ADSIEDIT.msc 修改pwdProperties參數來達到。(不建議)

How to set account lockout policies in Windows 2000 and Windows Server 2003
https://support.microsoft.com/kb/885119/en-us

To configure the account lockout policies in Active Directory, follow these steps:

1. Install the ADSI snap-in if it is not already installed on your system. This snap-in is included in the Windows 2000 Support Tools. For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:

301423 (https://support.microsoft.com/kb/301423/ ) How to install the Windows 2000 support tools to a Windows 2000 Server-based computer

Warning If you use the ADSI Edit snap-in, and you incorrectly modify the attributes of Active Directory objects, you may cause serious problems. These problems may require that you reinstall Windows 2000 Server, Microsoft Exchange 2000 Server, or both. We cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

2. Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.

3. Expand Domain NC [ Your_Domain_Name ] .

4. Right-click DC= Your_Domain_Name ,DC= Your_Domain_Name, and then click Properties.

5. Click the Attributes tab, and then in the Select a property to view list, click pwdProperties.

6. In the Edit Attribute box, type the value that you want to use. The following value options are available.

Collapse this tableExpand this table

Value

Password policy

0

Passwords can be simple, and the administrator account cannot be locked out.

1

Passwords must be complex, and the administrator account cannot be locked out.

8

Passwords can be simple, and the administrator account can be locked out.

9

Passwords must be complex, and the administrator account can be locked out.

7. Click Set, click Apply, and then click OK.

8. Quit the ADSI Edit snap-in.