Creating policies to control local accounts
If you enable local admin accounts, for users who require them, you should also enforce a set of policies to ensure the local accounts have strong authentication standards. On domain-joined computers, Group Policy can be used to specify the settings of the local account policy, which contains two subsets:
- Password policy: These policy settings determine the controls for local account passwords, such as enforcement and lifetimes
- Account lockout policy: These policy settings determine the circumstances and length of time for which an account will be locked out of the system when the password is entered incorrectly
The password policy enforces specific values that control how often the password is changed, how complex it is, and whether users can reuse old passwords. The default values are shown in the following screenshot:
Figure 4.2 – Local Security Policy’s password...