Link to home
Start Free TrialLog in
Avatar of maharlika
maharlika

asked on

How to make an exception to account lockout settings on a group policy

On Windows 2008 server, our GPO has account lockout on 3 bad attempts.  I want to add an exception for one user, "smith" to not lock out at all (unlimited attempts).  I did this successfully by creating a new policy called "smith" which made lockout at 0 attempts (means it never locks out), applied it to this user, smith, and activated it. At first it worked.  I did about 10 bad pw attempts on it and it didn't lock.  Now all of a sudden it locks again after 3 bad tries, even though I didn't change anything on the policy. What's going on?
Avatar of McKnife
McKnife
Flag of Germany image

Hi.

Maybe there's something fundamental being misunderstood: the lockout policy is per-computer, not per user. And if we are talking about domain accounts of a domain of the functional level 2008, you are able to use per user password policies, so called "password settings objects, PSO" - are you already doing that?
Inside a PSO, we can define that one special user gets other lockout settings then the rest. Simply google "password settings objects"
maharlick,
Is the account lockout policy part of your Default domain policy? If it is to achieve what you want you will have to create separate policy just with the account lockout settings, link it to the domain policy it was originally in and  make sure you have mirrored the original settings with the specific users etc. Then disable the original lockout policy.  Once the new policy is created double-click on it click the delegation tab add your user smith then click the advanced tab to the bottom right.  In there highlight smith and to the bottom deny the policy to him.
ASKER CERTIFIED SOLUTION
Avatar of FOX
FOX
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
That solution cannot have worked. Lockout policies cannot be denied like that. They apply to the DC (and with it, to all domain users) or they don't apply to the DC. Only password settings objects can be applied per-user. See https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx