BrianSDG
asked on
Configure Group Policy for Account Lockout Policy
My goal is to set up our CEO with a differnt account lockout policy than everybody else has. I have put him in his own group in AD and have set that groups account lockout policy through the Group Policy editor. I have set the group to Block Inheritance and set the policy to Enforced and Link Enabled. All Default Domain Secrity Settings, Default Domain Controller Security Settings and applicable Local Security Settings for both my primary and secondary domain controllers are set to "Not Defined"
In the midst of trying to get this configured I tried changing the Default Domain Security Settings for the lockout policy before eventually returning them to there default settings. It has been hours since I did this so the policy changes have had plenty of time to replicate and I ran gpupdate /force.
The end result is now no one in the domain will lock there account out no matter how many attempts at thier password they make. How can I fix this!
In the midst of trying to get this configured I tried changing the Default Domain Security Settings for the lockout policy before eventually returning them to there default settings. It has been hours since I did this so the policy changes have had plenty of time to replicate and I ran gpupdate /force.
The end result is now no one in the domain will lock there account out no matter how many attempts at thier password they make. How can I fix this!
ASKER
The DC shows "Not Defined."
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks for advice on the RSoP. I had never used that before and it was pretty cool. I had already read the MS doc that you noted above but when you sent it in your post I had another look and played with it more and got a better feel for what I was doing.
I have not tried the GPMC yet but will in the near future, I'm just a little slammed right now. I set a policy up for the domain I can live with but it still overrides the policy I set up for the OU that our CEO is in. Is there anyway to block the inheritance from the domain policy to the OU so you can have the OU be set up with a different policy. I noticed there was an option to "Block Inheritance" when right clicking the OU when in the Group Policy Management Window but either with it checked or not checked it didn't change the resultant policy. Thanks for the help!
I have not tried the GPMC yet but will in the near future, I'm just a little slammed right now. I set a policy up for the domain I can live with but it still overrides the policy I set up for the OU that our CEO is in. Is there anyway to block the inheritance from the domain policy to the OU so you can have the OU be set up with a different policy. I noticed there was an option to "Block Inheritance" when right clicking the OU when in the Group Policy Management Window but either with it checked or not checked it didn't change the resultant policy. Thanks for the help!
What you are trying to do is impossible in 2003 and earlier. You can only have one Account Policy per domain and it need to be set at the domain level.
But in 2008 you'll be able to specify multiple Account Policies in a single domain.
BTW - take 10 minutes and install GPMC. It is very intuitive with practically zero learning curve. If you can configure GPOs without it then you can configure GPOs much more easily with it! :)
But in 2008 you'll be able to specify multiple Account Policies in a single domain.
BTW - take 10 minutes and install GPMC. It is very intuitive with practically zero learning curve. If you can configure GPOs without it then you can configure GPOs much more easily with it! :)
Run RSoP for your DC and see if it's getting the proper settings.