Account Policy OU settings

Posted on 2007-08-09
Medium Priority
Last Modified: 2013-11-05
I asked a similar question once before and I'd like some further assistance.  From what I've been told you cannot assign account lockout policies at an OU level, only at the domain level.  I'd like to have 2 different account lockout policies, 1 after 4 attempts and 1 after 16 invalid attempts.  If i set the domain policy as not configured, can't I just create 2 separate policies and apply them to my OU's as needed?

If this is not true can someone please direct me to a document where Microsoft clearly states this is not a configurable option?
Question by:emauch
  • 3
LVL 30

Expert Comment

ID: 19662859
Account lockout policies and password policies (length/complexity/etc.) can only be set at the domain level in 2003. Password/lockout policies applied at the OU level will only apply to local computer accounts for workstations/member servers within that OU; domain user accounts in those OUs will only be affected by the domain-level policy.  Fine-Grained Password Policies will be available in Windows Server 2008, but there is no option for this in 2000 or 2003.
LVL 30

Accepted Solution

LauraEHunterMVP earned 2000 total points
ID: 19662890

Author Comment

ID: 19663279
This wouldn't apply to terminal server users either correct?  Since the setting is applied at the users OU and the terminal server is not in that OU.  Even if the terminal server was in that OU it still wouldn't apply since it would only affect local accounts, right?
LVL 30

Expert Comment

ID: 19663299
If your terminal server users are logging on using domain accounts, they will be subject to the one-and-only-one password policy and account lockout policy per domain.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question