• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 720
  • Last Modified:

Account lock-out policy


I want to enforce active directory account lock out policy in our windows 2003 domain where in it will lock any user account for 30 min after three successive wrong password input. It is very straight forward thing I suppose, but the issue is, there are 3 users who are to be exempted from this policies. I can create an ou and put them into that. Is there any other means for achieving this?
1 Solution
Mike KlineCommented:
Unfortunately you can't exclude users in a 2003 domain.   Microsoft answered the call in 2008 and higher with fine grained password policies but in 2003 one PW policy per domain linked at the domain level.

Third party tools like specops and others can help but not sure if you want to spend money.


You have the right idea. Create an OU for your exempt users and place outside of the ou where you apply the policy.
Sarang TinguriaSr EngineerCommented:
Password policy should be linked to domain
I would suggest you to use security filtering on default domain policy GPO to exclude those workstation to deny access to this policy

else, put those computers in any OU and disable inheritance..

Have never tested but may give a try
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Mike KlineCommented:
It won't work for the password policy...this is a special case.
I concur with the first reply. The Password Policy and Lockout Policy in a 2003 domain can only be applied at the domain - set it elsewhere and its simply ignored.

You cannot block inheritance of these policies nor can you filter or apply counter-policies.

In windows 2008 and later you can use a fine-grained password policy - but not in a 2003 domain.
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
I agree with MKLINE71 that password policy is a special case.  Also note that 3 successive failed logons resulting in account lockout is not a good idea.  Microsoft themselves have something like 40 failed logons in 5 minutes.  Reason for that is due to the fact that a single attempt could result in three failed logons (i.e. what if the app does Kerberos authentication).
bubaibhattaAuthor Commented:
Thanks everyone, so what I understand is that

1. This cant be placed on OU and it has to be placed on Domain level.

2. If I create a special OU and put users on that OU and then block inheritence in that, then it wont work.

3. The reason for avoiding these users were that earlier when we implemented the same, these three (special) users got locked out frequently. So we reverted the policy. Now this time if we create a policy in such a way that account would lock out if "40 failed logon in 5 minutes" happens. If I use it this way, I dont need to create a new OU and hopefully these users will be able to use their id without getting locked out.

Your thoughts......
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You are correct, however, I was wrong and that is the account will get locked out after 40 consecutive failed attempts.  What you can do is enable reset account lockout counter after certain amount of time and I would set that to 5 minutes.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now