Set up account lockout (for a newbie)

Posted on 2009-12-24
Last Modified: 2013-12-16
Good morning experts,

We're trying to set up account lockouts on our domain controller, which is running Win2003 Small Business Server.  There are two groups of users (OUs?) that require different policies.  It's unclear at this time whether we'll be able to segment additional groups (at least 1 more is coming soon) to different machines, or if all will need to be domain groups.  Therefore I think the thing to ask is for help with domain groups, and if you want to comment on the differences between domain and local groups that would be great.

I've set the duration, threshold and reset in the Default Domain Security Settings and Default Domain Controller Security Settings, with no apparent effect on members of the "Users" or "SBS Users" groups.

I've spent several hours on this and read many things already, to no avail.  That may be due at least in part to what the things I've read assume I already know...which is very little, so please write your instructions for a complete newbie to these matters.  As an example, I had to look up the terms "GPO" and "OU" when I started this.  Don't tell me to "link the GPO to the user OU", please tell me how!

Question by:Bitley
    LVL 57

    Accepted Solution

    Have some bad news on this one.  In  2003 and lower you can only have one password policy per domain (for domain accounts) and that has to be linked at the domain level.  you won't be able to do what  you want out of the box.  
    There are third party tools that can help
    In a 2008 domain Microsoft introduced fine grained password policies which will let you have different policies for different groups
    LVL 70

    Expert Comment

    Indeed only one password and account policy PER DOMAIN, so you can't have different settings for diferent users.

    Author Comment

    Hmm...that is unfortunate, but maybe we'll be able to segment access by box and manage any differences using local instead of domain accounts.  Otherwise everybody will just have to live with the most restrictive settings, which may be inconvenient for them but better than the alternative.
    Any suggestions on why that seeing would have no effect, and how to fix it?
    LVL 6

    Assisted Solution

    A very helpful tool to see what policies/settings are being applied by GPO's is Group Policy Management.  If you run the Group Policy Results Wizard (look toward the bottom in the left pane) you can see what will be applied to a specific user on a specific computer, etc., including what GPOs are being applied and which ones aren't.

    In the case of SBS 2003, there are 3 GPOs which are created by default that have settings related to password policy;
    1) Small Business Server Domain Password Policy
    2) Default Domain Policy
    3) Small Business Server Domain Lockout Policy
    If the settings in these are not the same, the last one applied will be the settings you get (without getting into issues of GPO Enforcement, etc.).  If you were to highlight your domain in Group Policy Management and look in the right pane to see the link order, the highest in the list (#1) will be the last one applied.

    If nothing's been changed from the default initial install, the Default Domain Policy is applied, then the Small Business Server Domain Lockout Policy is applied, then the Small Business Server Domain Password Policy is applied, which overwrite any settings in common with the previous policies.  So, to fix this, change the other policies, or create a new one with the settings you want and make sure that it is higher (lower number) in the link order.

    Author Comment

    Hi and Happy New Year, All!
    Thanks very much for your comments, questions and suggestions so far.  I haven't abandoned this question, but the holiday and higher-priority issues did put it on hold so I got a polite reminder from EE.  I'm hoping to get back to it tomorrow.
    All the best,

    Author Closing Comment

    Thanks folks.  We aren't really sure what's going on to prevent it from working in our dev/test environment, but we're accepting defeat for now because we confirmed that it does work in our UAT/prod environment, and that's what's important.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
    As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now