[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Configure Group Policy for Account Lockout Policy

Posted on 2007-10-02
Medium Priority
Last Modified: 2013-12-04
My goal is to set up our CEO with a differnt account lockout policy than everybody else has.  I have put him in his own group in AD and have set that groups account lockout policy through the Group Policy editor.  I have set the group to Block Inheritance and set the policy to Enforced and Link Enabled.  All Default Domain Secrity Settings, Default Domain Controller Security Settings and applicable Local Security Settings for both my primary and secondary domain controllers are set to "Not Defined"  

In the midst of trying to get this configured I tried changing the Default Domain Security Settings for the lockout policy before eventually returning them to there default settings.  It has been hours since I did this so the policy changes have had plenty of time to replicate and I ran gpupdate /force.  

The end result is now no one in the domain will lock there account out no matter how many attempts at thier password they make.  How can I fix this!
Question by:BrianSDG
  • 3
  • 2
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 20001817
You can only have one Account Policy per domain and it need to be set at the domain level.

Run RSoP for your DC and see if it's getting the proper settings.

Author Comment

ID: 20002018
The DC shows "Not Defined."
LVL 23

Accepted Solution

Jeremy Weisinger earned 2000 total points
ID: 20002970
Um... I didn't know it was possible for it to show "Not Defined" Are you sure you ran the RSoP wizard?

Have a look:

Also, I would download and install the GPMC and run the RSoP from there. It will show you the settings, what GPOs were and were not applied (and why), and show any related Event Log entries.

To run the RSoP wizard from GPMC:
- Open GPMC
- Right-click the Group Policy Results folder and select "Group Policy Results Wizard"
- Analyze the Summary, Settings, and Policy Events tabs

Author Comment

ID: 20009841
Thanks for advice on the RSoP.  I had never used that before and it was pretty cool.  I had already read the MS doc that you noted above but when you sent it in your post I had another look and played with it more and got a better feel for what I was doing.  

I have not tried the GPMC yet but will in the near future, I'm just a little slammed right now.  I set a policy up for the domain I can live with but it still overrides the policy I set up for the OU that our CEO is in.  Is there anyway to block the inheritance from the domain policy to the OU so you can have the OU be set up with a different policy.  I noticed there was an option to "Block Inheritance" when right clicking the OU when in the Group Policy Management Window but either with it checked or not checked it didn't change the resultant policy.  Thanks for the help!
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 20010071
What you are trying to do is impossible in 2003 and earlier. You can only have one Account Policy per domain and it need to be set at the domain level.
But in 2008 you'll be able to specify multiple Account Policies in a single domain.

BTW - take 10 minutes and install GPMC. It is very intuitive with practically zero learning curve. If you can configure GPOs without it then you can configure GPOs much more easily with it! :)

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question