maharlika
asked on
How to make an exception to account lockout settings on a group policy
On Windows 2008 server, our GPO has account lockout on 3 bad attempts. I want to add an exception for one user, "smith" to not lock out at all (unlimited attempts). I did this successfully by creating a new policy called "smith" which made lockout at 0 attempts (means it never locks out), applied it to this user, smith, and activated it. At first it worked. I did about 10 bad pw attempts on it and it didn't lock. Now all of a sudden it locks again after 3 bad tries, even though I didn't change anything on the policy. What's going on?
maharlick,
Is the account lockout policy part of your Default domain policy? If it is to achieve what you want you will have to create separate policy just with the account lockout settings, link it to the domain policy it was originally in and make sure you have mirrored the original settings with the specific users etc. Then disable the original lockout policy. Once the new policy is created double-click on it click the delegation tab add your user smith then click the advanced tab to the bottom right. In there highlight smith and to the bottom deny the policy to him.
Is the account lockout policy part of your Default domain policy? If it is to achieve what you want you will have to create separate policy just with the account lockout settings, link it to the domain policy it was originally in and make sure you have mirrored the original settings with the specific users etc. Then disable the original lockout policy. Once the new policy is created double-click on it click the delegation tab add your user smith then click the advanced tab to the bottom right. In there highlight smith and to the bottom deny the policy to him.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That solution cannot have worked. Lockout policies cannot be denied like that. They apply to the DC (and with it, to all domain users) or they don't apply to the DC. Only password settings objects can be applied per-user. See https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx
Maybe there's something fundamental being misunderstood: the lockout policy is per-computer, not per user. And if we are talking about domain accounts of a domain of the functional level 2008, you are able to use per user password policies, so called "password settings objects, PSO" - are you already doing that?
Inside a PSO, we can define that one special user gets other lockout settings then the rest. Simply google "password settings objects"