Re: RSoP Lockout Account

Account Policy, or more specifically any items within Computer
Configuration\Windows Settings\Security Settings\Account Policies, for
*domain accounts* (i.e. not local workstation or member server accounts) can
only be deployed from a GPO linked at the domain level and there can be only
one account policy per domain for *domain user accounts*. That being said,
you can have a different account policy, linked to an OU that affects
*local* user accounts on the workstations and member servers in those OUs
differently, and you could probably achieve your testing goals using local
accounts instead of domain ones.

In the future, rumor has it that Longhorn server will support multiple
account policies per domain, but again, I haven't seen that in writing yet.
:-)

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
Check it out at http://www.microsoft.com/mspress/books/8763.asp


"Alan Byrne" <Alan Byrne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7CB5AE8C-7667-4F50-8450-C38291097DED@xxxxxxxxxxxxxxxx
> I've been having this exact problem for weeks now, I've been searching and
> digging through all sorts of documents, white papers etc but would be abit
> dissapointed if this is the reason why my lockout threshold policy is
> applying to users within an OU.
>
> I only have one domain on my AD schema, so how can I carryout testing for
> security policies if I cant implement any security GPs on OUs within that
> domain? For example, how can I test what will happen when I set the MS
> password complexity GP to users when some of them dont even have passwords
> on
> their accounts, when they login will it force them to use change it?
>
> Any extra advice or links on applying GPs from the Security Policies
> section
> of a GPO would be very useful, as this is the first time I've read they
> can
> only be applied at domain level, I'm also very surprised that MS tools
> such
> as RSoP show configured security policies (eg lockout threshold) within a
> GPO
> applied only to an OU will apply to specified users even though they wont?
>
> Thks, Alan
> "Ken B" wrote:
>
>> You can have only one password / lockout policy per domain. It goes
>> hand-in-hand with the saying "A chain is only as strong as its weakest
>> link"... the point of the domain is to make a unified security structure.
>> Wouldn't make sense to have a weaker policy in effect for part of the
>> domain
>> than another part.
>>
>> hth,
>>
>> Ken
>>
>> "RG" <RG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:3C50D3D9-8F75-4E0F-A328-038E7672E263@xxxxxxxxxxxxxxxx
>> > Hi
>> >
>> > I'm trying to aply a GPO to an OU that contains computers, i want to be
>> > able
>> > to make any user in those computers have their account lookout after 3
>> > atempts.
>> > I created the GPO on the computers OU that i created.
>> > I aplyed the settings i want.
>> > The default setting of 0 atempts was removed from the defaut domain
>> > policy
>> > The RSoP says that a test user i chose in another OU loging on one of
>> > the
>> > computers will have the policy enforced.
>> > But when i try it for real, it does'nt work.
>> >
>> >
>> > Server Windows Server 2003 SP1
>> > PC Windows XP Pro SP1
>> >
>> >
>> > What could be the problem???
>> >
>> > Thanks in advance
>> >
>> > RG
>>
>>
>>


.

Relevant Pages