Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Policy: User vs Computer Configuration

Posted on 2009-07-16
1
Medium Priority
?
481 Views
Last Modified: 2012-05-07
We want to implement the following Group Policy:
Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy:
Account lockout duration:  0  (If a user gets locked out, he is not automatically unlocked. Only an Admin can unlock acct)
Account lockout threshold:  5 invalid logon attempts
Reset account lockout counter after 180 minutes

However, we don't want this to apply to any of our Admins.

This is currently the tree structure of our AD:
domain.local
     Staff OU
            Admins OU
            Sales OU
            Marketing OU
     Computers OU
            Sales Computers OU
            Marketing Computers OU
            Customer Services Computers OU

If this was a USER CONFIGURATION, I would just apply this GPO to the Staff OU, and then DISABLE this GPO for the Admins OU. But, since its a Computer Configuration, I'm not sure what's the best way to do this.
0
Comment
Question by:pzozulka
1 Comment
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 24871315
Not possible in a W2k3 AD, unless with a third-party tool like from http://www.specopssoft.com/.
In a regular W2k3 AD, you can only have *one* password policy *per* *domain*, the password policy *has* to be linked to the domain root, and it *has* to apply to the DCs.
Only W2k8 supports "fine grained" password policies.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question