We want to implement the following Group Policy:
Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy:
Account lockout duration: 0 (If a user gets locked out, he is not automatically unlocked. Only an Admin can unlock acct)
Account lockout threshold: 5 invalid logon attempts
Reset account lockout counter after 180 minutes
However, we don't want this to apply to any of our Admins.
This is currently the tree structure of our AD:
Sales Computers OU
Marketing Computers OU
Customer Services Computers OU
If this was a USER CONFIGURATION, I would just apply this GPO to the Staff OU, and then DISABLE this GPO for the Admins OU. But, since its a Computer Configuration, I'm not sure what's the best way to do this.