Account Policy OU settings

Posted on 2007-08-09
Last Modified: 2013-11-05
I asked a similar question once before and I'd like some further assistance.  From what I've been told you cannot assign account lockout policies at an OU level, only at the domain level.  I'd like to have 2 different account lockout policies, 1 after 4 attempts and 1 after 16 invalid attempts.  If i set the domain policy as not configured, can't I just create 2 separate policies and apply them to my OU's as needed?

If this is not true can someone please direct me to a document where Microsoft clearly states this is not a configurable option?
Question by:emauch
    LVL 30

    Expert Comment

    Account lockout policies and password policies (length/complexity/etc.) can only be set at the domain level in 2003. Password/lockout policies applied at the OU level will only apply to local computer accounts for workstations/member servers within that OU; domain user accounts in those OUs will only be affected by the domain-level policy.  Fine-Grained Password Policies will be available in Windows Server 2008, but there is no option for this in 2000 or 2003.
    LVL 30

    Accepted Solution


    Author Comment

    This wouldn't apply to terminal server users either correct?  Since the setting is applied at the users OU and the terminal server is not in that OU.  Even if the terminal server was in that OU it still wouldn't apply since it would only affect local accounts, right?
    LVL 30

    Expert Comment

    If your terminal server users are logging on using domain accounts, they will be subject to the one-and-only-one password policy and account lockout policy per domain.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now