none
how do you apply "account lockout policy" to non domain member computers?

    Question

  • Windows Server 2008 R2

    i guess i'm not yet that familiar with group policy. i have account lockout policy enabled on my user's OU (one i created; not the default "users") and it is set on the "Computer Configuration" part of the gpo.

    as i understand it, such account lockout policy only applies to users' logging in from domain member computers where the gpo was linked. right? now, what if i use my AD account and login from a non domain member computer or device, will the account lockout policy apply?

    i'm kind of confused because the non domain member computer, of course, would not have received the gpo.

    Monday, January 02, 2017 8:49 AM

Answers

  • i guess i'm not yet that familiar with group policy. i have account lockout policy enabled on my user's OU (one i created; not the default "users") and it is set on the "Computer Configuration" part of the gpo.

    If it not enabled on the domain level then you need to use AD DS Fine Grained Password Policies to make it work: https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

    as i understand it, such account lockout policy only applies to users' logging in from domain member computers where the gpo was linked. right?

    Not correct. An account is locked even though wrong credentials are sent from non domain systems.

    now, what if i use my AD account and login from a non domain member computer or device, will the account lockout policy apply?

    I believe you are referring to applications that use AD for authentication like Outlook. If such, the answer is yes. Otherwise, you cannot login to a Windows System using your domain credentials if it is not integrated to the domain.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by Reno Mardo Monday, January 02, 2017 9:50 AM
    Monday, January 02, 2017 9:36 AM

All replies

  • i guess i'm not yet that familiar with group policy. i have account lockout policy enabled on my user's OU (one i created; not the default "users") and it is set on the "Computer Configuration" part of the gpo.

    If it not enabled on the domain level then you need to use AD DS Fine Grained Password Policies to make it work: https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

    as i understand it, such account lockout policy only applies to users' logging in from domain member computers where the gpo was linked. right?

    Not correct. An account is locked even though wrong credentials are sent from non domain systems.

    now, what if i use my AD account and login from a non domain member computer or device, will the account lockout policy apply?

    I believe you are referring to applications that use AD for authentication like Outlook. If such, the answer is yes. Otherwise, you cannot login to a Windows System using your domain credentials if it is not integrated to the domain.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by Reno Mardo Monday, January 02, 2017 9:50 AM
    Monday, January 02, 2017 9:36 AM
  • now, what if i use my AD account and login from a non domain member computer or device, will the account lockout policy apply?

    I believe you are referring to applications that use AD for authentication like Outlook. If such, the answer is yes. Otherwise, you cannot login to a Windows System using your domain credentials if it is not integrated to the domain.


    we have people using handheld devices (running Windows Mobile OS 6.x; but other handheld devices will come into play like Android) and the applications created for those handhelds uses AD accounts for authentication.

    thank you for clarifying that part.

    Monday, January 02, 2017 9:48 AM