Link to home
Create AccountLog in
Avatar of BrianSDG
BrianSDGFlag for United States of America

asked on

Configure Group Policy for Account Lockout Policy

My goal is to set up our CEO with a differnt account lockout policy than everybody else has.  I have put him in his own group in AD and have set that groups account lockout policy through the Group Policy editor.  I have set the group to Block Inheritance and set the policy to Enforced and Link Enabled.  All Default Domain Secrity Settings, Default Domain Controller Security Settings and applicable Local Security Settings for both my primary and secondary domain controllers are set to "Not Defined"  

In the midst of trying to get this configured I tried changing the Default Domain Security Settings for the lockout policy before eventually returning them to there default settings.  It has been hours since I did this so the policy changes have had plenty of time to replicate and I ran gpupdate /force.  

The end result is now no one in the domain will lock there account out no matter how many attempts at thier password they make.  How can I fix this!
Avatar of Jeremy Weisinger
Jeremy Weisinger

You can only have one Account Policy per domain and it need to be set at the domain level.

Run RSoP for your DC and see if it's getting the proper settings.
Avatar of BrianSDG

ASKER

The DC shows "Not Defined."
ASKER CERTIFIED SOLUTION
Avatar of Jeremy Weisinger
Jeremy Weisinger

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks for advice on the RSoP.  I had never used that before and it was pretty cool.  I had already read the MS doc that you noted above but when you sent it in your post I had another look and played with it more and got a better feel for what I was doing.  

I have not tried the GPMC yet but will in the near future, I'm just a little slammed right now.  I set a policy up for the domain I can live with but it still overrides the policy I set up for the OU that our CEO is in.  Is there anyway to block the inheritance from the domain policy to the OU so you can have the OU be set up with a different policy.  I noticed there was an option to "Block Inheritance" when right clicking the OU when in the Group Policy Management Window but either with it checked or not checked it didn't change the resultant policy.  Thanks for the help!
What you are trying to do is impossible in 2003 and earlier. You can only have one Account Policy per domain and it need to be set at the domain level.
But in 2008 you'll be able to specify multiple Account Policies in a single domain.

BTW - take 10 minutes and install GPMC. It is very intuitive with practically zero learning curve. If you can configure GPOs without it then you can configure GPOs much more easily with it! :)