none
Exclude 1 user from account lockout policy

    Question

  • HI,

    Can I remove 1 user domain id from account lockout policy (lockout because of bad password attempts)?

    Regars

    Sajid

    Wednesday, March 15, 2017 5:57 AM

All replies

  • FGPP is implemented, i have removed user from FGPP but still accounts gets lock. 

    can i check which policy is implemented on user?

    Wednesday, March 15, 2017 7:59 AM
  • Hi,

    I created one FGPP (ParisUsersPolicy) and added my test user paris on my test machine. 

    This command will give you Name ObjectClass DistinguishedName---- Under the Name you will see user name or group name and under the object class it will show you if that is a user or group

    Get-ADFineGrainedPasswordPolicySubject -Identity ParisUsersPolicy | FT Name,ObjectClass,DistinguishedName -AutoSize

    Get-ADFineGrainedPasswordPolicy 'CN=ParisUsersPolicy,CN=Password Settings Container,CN=System,DC=mehic,DC=se' -Properties * -- with this command you can get properties of the policy. It will show you applies to

    Get all the Fine Grained Password Policy object that have a name that begins with "name" in my case paris

    Get-ADFineGrainedPasswordPolicy -Filter {name -like "*paris*"}

    Run this as well gpresult /R to see all gpo policies that are applied to user and check if you have another gpo policy which is configured with account lockout policy?

    You said that you already have GPO with lockout settings.

    Your best option then would be to remove user from that OU or to remove that gpo which is applied to that OU and create FGPP for user groups.

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.
    (This can be beneficial to other community members reading the thread).










    Wednesday, March 15, 2017 9:42 AM
  • Hi,
    When using fine-grained password policies, you could use the following command to check what policy is being applied to a specific user:
    dsquery user -samid <username> |dsget user –effectivepso
    Alternatively, you could view the resultant Password Settings object (PSO) for a user object from Windows interface, please see:
    View a Resultant PSO for a User or a Global Security Group
    https://technet.microsoft.com/en-us/library/cc770848(v=ws.10).aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 16, 2017 7:07 AM
    Moderator
  • Hi Sajid,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 21, 2017 9:02 AM
    Moderator