Remove From My Forums

Account Lockout Question

Question

0

Sign in to vote

We have a 10 minute lock out policy for 3 incorrect passwords. We have a requirement for an application that the lock out be 30 minutes. Is there a way to group the machines for that application and apply a longer lockout for a user failing 3 password attempts on those machines? Or is the overall 10 minute policy the extent of what we can set?

Wednesday, July 15, 2015 3:38 PM

Reply

|

Quote

Answers

1

Sign in to vote
One policy per domain in pretty sure?

To configure anything else outside of the one per domain you need

AD DS Fine-Grained Password and Account Lockout

https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx
- Edited by AlexAdkin Wednesday, July 15, 2015 7:23 PM
- Proposed as answer by Elaine JingModerator Monday, July 20, 2015 9:48 AM
- Marked as answer by Elaine JingModerator Wednesday, July 22, 2015 2:42 AM
Wednesday, July 15, 2015 7:22 PM

Reply

|

Quote

0

Sign in to vote
> You can create a OU for this machines and move this computers in this

> OU,then on GPMC,"select "block inheritance" for this OU,then create and

> edit gpo for 30 min.finaly apply this OU.

No, you cannot. These GPOs would only affect local accounts on the

computers, not domain accounts...

Greetings/Grüße, Martin

Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-:
- Marked as answer by Elaine JingModerator Wednesday, July 22, 2015 2:42 AM
Thursday, July 16, 2015 1:12 PM

Reply

|

Quote

All replies

0

Sign in to vote

Hi

You can create a OU for this machines and move this computers in this OU,then on GPMC,"select "block inheritance" for this OU,then create and edit gpo for 30 min.finaly apply this OU.

Wednesday, July 15, 2015 4:50 PM

Reply

|

Quote

1

Sign in to vote
One policy per domain in pretty sure?

To configure anything else outside of the one per domain you need

AD DS Fine-Grained Password and Account Lockout

https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx
- Edited by AlexAdkin Wednesday, July 15, 2015 7:23 PM
- Proposed as answer by Elaine JingModerator Monday, July 20, 2015 9:48 AM
- Marked as answer by Elaine JingModerator Wednesday, July 22, 2015 2:42 AM
Wednesday, July 15, 2015 7:22 PM

Reply

|

Quote

0

Sign in to vote
> You can create a OU for this machines and move this computers in this

> OU,then on GPMC,"select "block inheritance" for this OU,then create and

> edit gpo for 30 min.finaly apply this OU.

No, you cannot. These GPOs would only affect local accounts on the

computers, not domain accounts...

Greetings/Grüße, Martin

Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-:
- Marked as answer by Elaine JingModerator Wednesday, July 22, 2015 2:42 AM
Thursday, July 16, 2015 1:12 PM

Reply

|

Quote