• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1230
  • Last Modified:

Set up account lockout (for a newbie)

Good morning experts,

We're trying to set up account lockouts on our domain controller, which is running Win2003 Small Business Server.  There are two groups of users (OUs?) that require different policies.  It's unclear at this time whether we'll be able to segment additional groups (at least 1 more is coming soon) to different machines, or if all will need to be domain groups.  Therefore I think the thing to ask is for help with domain groups, and if you want to comment on the differences between domain and local groups that would be great.

I've set the duration, threshold and reset in the Default Domain Security Settings and Default Domain Controller Security Settings, with no apparent effect on members of the "Users" or "SBS Users" groups.

I've spent several hours on this and read many things already, to no avail.  That may be due at least in part to what the things I've read assume I already know...which is very little, so please write your instructions for a complete newbie to these matters.  As an example, I had to look up the terms "GPO" and "OU" when I started this.  Don't tell me to "link the GPO to the user OU", please tell me how!

2 Solutions
Mike KlineCommented:
Have some bad news on this one.  In  2003 and lower you can only have one password policy per domain (for domain accounts) and that has to be linked at the domain level.  you won't be able to do what  you want out of the box.  
There are third party tools that can help http://www.specopssoft.com/web/specops-password-policy.aspx
In a 2008 domain Microsoft introduced fine grained password policies which will let you have different policies for different groups  http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Indeed only one password and account policy PER DOMAIN, so you can't have different settings for diferent users.
BitleyAuthor Commented:
Hmm...that is unfortunate, but maybe we'll be able to segment access by box and manage any differences using local instead of domain accounts.  Otherwise everybody will just have to live with the most restrictive settings, which may be inconvenient for them but better than the alternative.
Any suggestions on why that seeing would have no effect, and how to fix it?
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

A very helpful tool to see what policies/settings are being applied by GPO's is Group Policy Management.  If you run the Group Policy Results Wizard (look toward the bottom in the left pane) you can see what will be applied to a specific user on a specific computer, etc., including what GPOs are being applied and which ones aren't.

In the case of SBS 2003, there are 3 GPOs which are created by default that have settings related to password policy;
1) Small Business Server Domain Password Policy
2) Default Domain Policy
3) Small Business Server Domain Lockout Policy
If the settings in these are not the same, the last one applied will be the settings you get (without getting into issues of GPO Enforcement, etc.).  If you were to highlight your domain in Group Policy Management and look in the right pane to see the link order, the highest in the list (#1) will be the last one applied.

If nothing's been changed from the default initial install, the Default Domain Policy is applied, then the Small Business Server Domain Lockout Policy is applied, then the Small Business Server Domain Password Policy is applied, which overwrite any settings in common with the previous policies.  So, to fix this, change the other policies, or create a new one with the settings you want and make sure that it is higher (lower number) in the link order.
BitleyAuthor Commented:
Hi and Happy New Year, All!
Thanks very much for your comments, questions and suggestions so far.  I haven't abandoned this question, but the holiday and higher-priority issues did put it on hold so I got a polite reminder from EE.  I'm hoping to get back to it tomorrow.
All the best,
BitleyAuthor Commented:
Thanks folks.  We aren't really sure what's going on to prevent it from working in our dev/test environment, but we're accepting defeat for now because we confirmed that it does work in our UAT/prod environment, and that's what's important.

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now