Account lock-out policy


I want to enforce active directory account lock out policy in our windows 2003 domain where in it will lock any user account for 30 min after three successive wrong password input. It is very straight forward thing I suppose, but the issue is, there are 3 users who are to be exempted from this policies. I can create an ou and put them into that. Is there any other means for achieving this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Unfortunately you can't exclude users in a 2003 domain.   Microsoft answered the call in 2008 and higher with fine grained password policies but in 2003 one PW policy per domain linked at the domain level.

Third party tools like specops and others can help but not sure if you want to spend money.


You have the right idea. Create an OU for your exempt users and place outside of the ou where you apply the policy.
Password policy should be linked to domain
I would suggest you to use security filtering on default domain policy GPO to exclude those workstation to deny access to this policy

else, put those computers in any OU and disable inheritance..

Have never tested but may give a try
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Mike KlineCommented:
It won't work for the password policy...this is a special case.
Brian PiercePhotographerCommented:
I concur with the first reply. The Password Policy and Lockout Policy in a 2003 domain can only be applied at the domain - set it elsewhere and its simply ignored.

You cannot block inheritance of these policies nor can you filter or apply counter-policies.

In windows 2008 and later you can use a fine-grained password policy - but not in a 2003 domain.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
I agree with MKLINE71 that password policy is a special case.  Also note that 3 successive failed logons resulting in account lockout is not a good idea.  Microsoft themselves have something like 40 failed logons in 5 minutes.  Reason for that is due to the fact that a single attempt could result in three failed logons (i.e. what if the app does Kerberos authentication).
bubaibhattaAuthor Commented:
Thanks everyone, so what I understand is that

1. This cant be placed on OU and it has to be placed on Domain level.

2. If I create a special OU and put users on that OU and then block inheritence in that, then it wont work.

3. The reason for avoiding these users were that earlier when we implemented the same, these three (special) users got locked out frequently. So we reverted the policy. Now this time if we create a policy in such a way that account would lock out if "40 failed logon in 5 minutes" happens. If I use it this way, I dont need to create a new OU and hopefully these users will be able to use their id without getting locked out.

Your thoughts......
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You are correct, however, I was wrong and that is the account will get locked out after 40 consecutive failed attempts.  What you can do is enable reset account lockout counter after certain amount of time and I would set that to 5 minutes.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.