Configure Group Policy for Account Lockout Policy

Posted on 2007-10-02
Last Modified: 2013-12-04
My goal is to set up our CEO with a differnt account lockout policy than everybody else has.  I have put him in his own group in AD and have set that groups account lockout policy through the Group Policy editor.  I have set the group to Block Inheritance and set the policy to Enforced and Link Enabled.  All Default Domain Secrity Settings, Default Domain Controller Security Settings and applicable Local Security Settings for both my primary and secondary domain controllers are set to "Not Defined"  

In the midst of trying to get this configured I tried changing the Default Domain Security Settings for the lockout policy before eventually returning them to there default settings.  It has been hours since I did this so the policy changes have had plenty of time to replicate and I ran gpupdate /force.  

The end result is now no one in the domain will lock there account out no matter how many attempts at thier password they make.  How can I fix this!
Question by:BrianSDG
    LVL 18

    Expert Comment

    by:Jeremy Weisinger
    You can only have one Account Policy per domain and it need to be set at the domain level.

    Run RSoP for your DC and see if it's getting the proper settings.

    Author Comment

    The DC shows "Not Defined."
    LVL 18

    Accepted Solution

    Um... I didn't know it was possible for it to show "Not Defined" Are you sure you ran the RSoP wizard?

    Have a look:

    Also, I would download and install the GPMC and run the RSoP from there. It will show you the settings, what GPOs were and were not applied (and why), and show any related Event Log entries.

    To run the RSoP wizard from GPMC:
    - Open GPMC
    - Right-click the Group Policy Results folder and select "Group Policy Results Wizard"
    - Analyze the Summary, Settings, and Policy Events tabs

    Author Comment

    Thanks for advice on the RSoP.  I had never used that before and it was pretty cool.  I had already read the MS doc that you noted above but when you sent it in your post I had another look and played with it more and got a better feel for what I was doing.  

    I have not tried the GPMC yet but will in the near future, I'm just a little slammed right now.  I set a policy up for the domain I can live with but it still overrides the policy I set up for the OU that our CEO is in.  Is there anyway to block the inheritance from the domain policy to the OU so you can have the OU be set up with a different policy.  I noticed there was an option to "Block Inheritance" when right clicking the OU when in the Group Policy Management Window but either with it checked or not checked it didn't change the resultant policy.  Thanks for the help!
    LVL 18

    Expert Comment

    by:Jeremy Weisinger
    What you are trying to do is impossible in 2003 and earlier. You can only have one Account Policy per domain and it need to be set at the domain level.
    But in 2008 you'll be able to specify multiple Account Policies in a single domain.

    BTW - take 10 minutes and install GPMC. It is very intuitive with practically zero learning curve. If you can configure GPOs without it then you can configure GPOs much more easily with it! :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Learn about cloud computing and its benefits for small business owners.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now