none
Default Group Policy - Custom policies don't apply?

    Question

  • We have some computers in TEST OU with password lockout after 4 attempts but it doesn't work.  If we disable the Default Group policy in the domain controller then it works.

    With the Default Group Policy enable, we run RSOP.exe and it does show the correct policies was applied but why it still doesn't lock the user accounts after 4 attempts?  There is no password lockout policy in the Default Group Policy.

    Thank you!

    Sunday, February 8, 2015 11:27 PM

All replies

  • Hello, 

    Can you execute on the desktop the command gpresult /H c:\result.html

    Send me the file please

    Monday, February 9, 2015 12:18 AM
  • Thank you. What are we looking for in result.html file?
    Monday, February 9, 2015 2:07 AM
  • I have the file but sorry how do I send it to you?
    Monday, February 9, 2015 4:01 AM
  • > We have some computers in TEST OU with password lockout after 4 attempts
    > but it doesn't work.  If we disable the Default Group policy in the
    > domain controller then it works.
     
    Local accounts or domain accounts?
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 9, 2015 9:35 AM
  • Domain accounts with local admins.

    Here is the Structures:

    Group Policy Management

    - Forest: TESTAD.local

    ---- Domains

    -------- TESTAD.local

    ------------ Default Domain Policy (Link enabled, if I disable this link then it works)

    ------------ WSE Group Policy Security Templates (Link enabled)

    ------------ TEST OU

    ---------------- Test_GPO (link enable)

    ------------ Group Policy Objects

    ---------------- Default Domain Controller Policy

    ---------------- Default Domain Policy

    ---------------- WSE Group Policy Security Templates

    ---------------- Test_GPO

    result.html shows Test_GPO did apply.

    Thank you

    Monday, February 9, 2015 6:26 PM
  • in the result.html, under the Applied GPOs (windows 7 Pro):

    Local Group Policy

    WSE Group Policy Security Templates

    Default Domain Policy

    Test_GPO GPO

    On another computer Windows 8.1 Pro, it says:

    WSE Group Policy Security Templates

    Default Domain Policy

    Test_GPO GPO

    Not sure why, local policy applied to Windows 7 computer.  But for both computers, the lockout policy is still not working.

    Thanks.

    Monday, February 9, 2015 7:06 PM
  • > Local Group Policy
     
    This is present because someone opened gpedit.msc on the computer and
    configured something in there.
     
    > Not sure why, local policy applied to Windows 7 computer.  But for both
    > computers, the lockout policy is still not working.
     
    Because Account policies for domain users can only be changed at the
    Domain level, not at OU level. Account policies at OU level are only
    applied to LOCAL accounts, not to domain accounts.
     
    If you're running 2008 DFL, you can use FGPP and PSO.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, February 10, 2015 7:58 AM
  • Thank you!

    We're running Windows 2012 R2 Essential edition, can we use FGPP and PSO?

    Tuesday, February 10, 2015 6:14 PM