How to Prevent AD User Account Lockout?

SrinathS used Ask the Experts™

I would like to prevent certain users from "Account Lockout Policy" settings. I've two domain controllers in two forests (two-way trust between them.) One domain controller is running on Server 2003 R2 and other is running on Server 2008 R2 in another forest.

Q: How can I prevent certain users not to lockout in any case? Can I apply it via Group Policy or atleast Registry hack?

Note: I need solution for both on Server 2003 and 2008 R2.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
GPO would be the best. Copy your current Default Domain Policy and change the "Account Lockout Policy" how you see fit. Set your Security Filtering to only include the users you want the policy to apply to. Apply this policy to the OU of the users and make it higher on the link order than the Default Domain Policy
The answer above will not work correctly. In a domain at 2003 function level you can only have one password policy configured.

If you are running at 2008 level you can create and attach a PSO to the OUs you want to apply the fine grained policy to. This can not be done with standard gpos.
news to me...thanks xxd
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.


Is there any simple way to fix that? One of my user account is keep locking every 30 minutes.
If you have a user account locking out every 30 minutes then you have a problem that needs to be corrected. Changing your password policy to never lockout is not a solution and can expose you to greater danger.

To begin troubleshooting the account lockout download microsoft's account lockout toolset.

From here you can run lockoutstatus.exe which will tell you the date, time, and originating DC of the lockout. Then you can begin looking at the logs to figure out what is happening.


Can I run that tool on Server 2003 R2? I found that the particular user acccount belongs to Server 2003 R2 Forest, not in 2008 R2 forest.
yes you can run this tool from the 2003 server or even your XP or windows 7 management computer. As long as the account you are logged in with has access to active directory.


Never mind; I found a tool named "Lockout Fixer". With this tool, I'm able to find the exact reason why the account is keep locking. This is due to a scheduled task which is configured to run with this user account but with wrong credentials which triggers authenticattion failure.

Anyway you directed into right path!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial