Default Domain Policy GPO Account Polices being overridden by Domain Controller's Local Security Policy

The Default Domain Policy GPO specifies a value of 3 for the "Account Lockout Threshold", however, the value that is in effect is "5".  I've discovered that users are getting the effective value from the Domain Controllers' Local Security Policy (not to be confused with the Default Domain Controllers Policy GPO), which some people say is by design.  My first question is:  Is this how the system should be working? My second question is, if the answer to the first is "yes", what other settings/values in the Domain Controllers' Local Security Policy might be overriding my Default Domain Policy GPO?
Drew McCurdyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Default domain policy has final authority for account and password polices

run rsop.msc on domain controller and you should see only default domain policy setting is applied,?

U need to make sure account policy (default domain policy) is latched to domain level with required settings

and if you have blocked inheritance on domain controllers OU, it need to be removed
Brian MurphySenior Information Technology ConsultantCommented:
In effect from at a down level client workstation?  Technically there is no local GPO (on the Controller) once you install AD.  Any local GPO on clients workstation would be overwritten by Domain policies unless you have a restriction policy above it in GPO and where that workstation is in that OU.

On one of the workstations, open CMD prompt and type "gpresult /v > c:\gpresults.txt"

Then, notepad c:\gpresults.txt

Verify actual applied policies on that workstation.  Per Mahesh comments above it is most likely blocked inheritance or forced policy.
gpresult will tell you which policy has won and what is in effect. Just use it.
gpresult /h %temp%\results.html &  %temp%\results.html

Open in new window

Execute that on an elevated command prompt on the DC.
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

Drew, you fell silent - do you need help with the instructions/suggestions?
Drew McCurdyAuthor Commented:
I think we can go ahead and close this. I've gotten to a point where GP settings seem to be applying correctly. That being said, I ran into a situation where member servers would not inherit new Default Domain Policy settings and, instead, used cached ones. It took deleting the Group Policy hive in the registry on a few of the servers and rebooting to get them to adopt the new settings. Anyway, thanks for the help.
Ok, godd. Close it by selecting your comment as solution and also helpful comments (if any).
If you could explain what hive / key you deleted on member servers it will be helpful for others incase
Drew McCurdyAuthor Commented:
It is always advisable, no matter what hive / key you're going to delete, to back it up first. Again, in order for a few of my member servers to adopt the new policy, I had to delete the entire "Group Policy" key shown below, and then reboot the server:

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Please select your own comment as solution, not mine
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.