none
Account Lockout GPO Policy

    Question

  • Hi,

    In my default domain, I didnt set Account lockout policy, I have an OU which has some critical account , I created new GPO and applied to this OU even enforced it but still i am not able get lockout policy working, it seems its overriding by default domain policy , How i can make it working

    Regards

    Usman Ghani


    Usman Ghani - MCITP Exchange 2010

    Wednesday, January 25, 2017 1:07 PM

Answers

  • Hi Usman,

    In my default domain, I didnt set Account lockout policy, I have an OU which has some critical account , I created new GPO and applied to this OU even enforced it but still i am not able get lockout policy working, it seems its overriding by default domain policy , How i can make it working

    >>>This is a normal behavior. Because, for domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain.

    If you want that there are multiple password policies, you could configure Fine-Grained Password Policies.

    For more information about account policies and FGPP, you could refer to the articles below.

    Account Policy Settings

    https://technet.microsoft.com/en-us/library/cc757692(v=ws.10).aspx

    Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD

    https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 25, 2017 2:35 PM
    Moderator

All replies

  • Hi,

    In my default domain, I didnt set Account lockout policy, I have an OU which has some critical account , I created new GPO and applied to this OU even enforced it but still i am not able get lockout policy working, it seems its overriding by default domain policy , How i can make it working

    Lockout Policy is applied via Default Domain Policy. You can not mess with him.. If you want a unique LockOut policy for your user, you need to use PSO. 


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Wednesday, January 25, 2017 1:35 PM
    Moderator
  • Hi Usman,

    In my default domain, I didnt set Account lockout policy, I have an OU which has some critical account , I created new GPO and applied to this OU even enforced it but still i am not able get lockout policy working, it seems its overriding by default domain policy , How i can make it working

    >>>This is a normal behavior. Because, for domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain.

    If you want that there are multiple password policies, you could configure Fine-Grained Password Policies.

    For more information about account policies and FGPP, you could refer to the articles below.

    Account Policy Settings

    https://technet.microsoft.com/en-us/library/cc757692(v=ws.10).aspx

    Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD

    https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 25, 2017 2:35 PM
    Moderator
  • Greetings Jay!

    Although your answer is totally right, I would suggest you not to self propose too soon. Thank you! :)


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Wednesday, January 25, 2017 3:54 PM
    Moderator
  • Hi Usman

    Are there any updates?

    If the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 2, 2017 12:07 PM
    Moderator