How to make an exception to account lockout settings on a group policy

On Windows 2008 server, our GPO has account lockout on 3 bad attempts.  I want to add an exception for one user, "smith" to not lock out at all (unlimited attempts).  I did this successfully by creating a new policy called "smith" which made lockout at 0 attempts (means it never locks out), applied it to this user, smith, and activated it. At first it worked.  I did about 10 bad pw attempts on it and it didn't lock.  Now all of a sudden it locks again after 3 bad tries, even though I didn't change anything on the policy. What's going on?
LVL 3
maharlikaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Hi.

Maybe there's something fundamental being misunderstood: the lockout policy is per-computer, not per user. And if we are talking about domain accounts of a domain of the functional level 2008, you are able to use per user password policies, so called "password settings objects, PSO" - are you already doing that?
Inside a PSO, we can define that one special user gets other lockout settings then the rest. Simply google "password settings objects"
0
FOXActive Directory/Exchange EngineerCommented:
maharlick,
Is the account lockout policy part of your Default domain policy? If it is to achieve what you want you will have to create separate policy just with the account lockout settings, link it to the domain policy it was originally in and  make sure you have mirrored the original settings with the specific users etc. Then disable the original lockout policy.  Once the new policy is created double-click on it click the delegation tab add your user smith then click the advanced tab to the bottom right.  In there highlight smith and to the bottom deny the policy to him.
0
FOXActive Directory/Exchange EngineerCommented:
I just realized you said you created a new lockout policy.  Is the original one still enabled?
Make sure the new one has all the settings of the original one and deny apply policy for smith.  Disable the original one.
On smith's machine run a gpupdate /force
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
That solution cannot have worked. Lockout policies cannot be denied like that. They apply to the DC (and with it, to all domain users) or they don't apply to the DC. Only password settings objects can be applied per-user. See https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.