question

SachinNavod-7340 avatar image
0 Votes"
SachinNavod-7340 asked AnuragSingh-MSFT commented

Can i push Account lockout policy to all the servers in the subscriptions in a perticuler Tenent at once.

in here there are about 700VMs in over 500 Subscriptions. but all are in the same Tennant.
I need to push the Account Lockout Policy for all these VMs.
what are the possibilities I can go with?

azure-ad-domain-servicesazure-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AnuragSingh-MSFT avatar image
0 Votes"
AnuragSingh-MSFT answered AnuragSingh-MSFT commented

Hi @SachinNavod-7340,

Welcome to Microsoft Q&A! Thanks for posting the question.

I understand that you are trying to enable Account Lockout policy to multiple VMs in Azure Subscription. There are many ways to achieve it at scale, and following are some of the options available:

Method 1 - Using Azure Active Directory Domain Services managed domains
If these VMs are connected to Azure Active Directory Domain Services managed domain, you may define Password and account lockout policies using Azure AD. For more details, please refer to Password and account lockout policies on Azure Active Directory Domain Services managed domains

Method 2 - Using Azure Policy
This involves multiple steps and understanding of Guest Configuration feature of Azure Policy. This is particularly useful if you want to manage local settings on VMs such as - OS settings, Application configuration or presence and Environment settings. This can also be used for auditing/applying local Group Polices. Therefore, if you want to enable the Account Lockout Policy on each VMs, you may use this option. This method involes:
- Creating a guest configuration content artifact (.zip)
- Validating the package meets requirements
- Installing the guest configuration agent locally for testing
- Validating the package can be used to audit settings in a machine
- Validating the package can be used to configure settings in a machine
- Publishing the package to Azure storage
- Creating a policy definition
- Publishing the policy

You may refer to this How-to-guide to understand this process in detail and the complete walkthrough. Some of the Azure Policy's built-in packages for guest configuration are available here for your reference - List of built-in packages for guest configuration - Azure Policy

Method 3 - Using PowerShell
Group Policy PowerShell module can be used to configure local policy for a machine. You may also use it in Azure Automation for automatic update of local group policy setting on all the VMs/subset of VMs.

Please let me know if you have any questions.


Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SachinNavod-7340, Following up to see if the answer above helped. Do let us know if you have any queries.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

0 Votes 0 ·

please can you explain this step a little bit furthermore? How can I add an Account Lockout Policy In guest configuration?
"Creating a guest configuration content artifact (.zip)"
Can you give me an example?

0 Votes 0 ·

@SachinNavod-7340, Please refer to this link for complete steps: How to create custom guest configuration package artifacts

The high-level steps are as follows:

1. Author and compile a DSC configuration (generate .mof file). Refer to this link and this link for details

2. Create a configuration package artifact using the New-GuestConfigurationPackage cmdlet. (ref: this link)

Please let me know if you have any questions.

0 Votes 0 ·