Does anyone know how to set a user account up so that it
can't be locked out? We have a generic account that many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.

Thanks

The only account that can not be locked out [at least from keyboard],
is the administrator account. You can change your account lockout policy,
but then it wll apply to all users on the computer or all users in the
domain. If your account lockout setting is low, you may want to raise it to
a higher number like ten. You may also want to reconfigure lockout setting
as far as time before you can try logging in again. --- Steve

"steve" <(E-Mail Removed)> wrote in message
news:027c01c35b7e$f9602320$(E-Mail Removed)...
> Does anyone know how to set a user account up so that it
> can't be locked out? We have a generic account that many
> users log into and they are constantly locking it out.
> Any ideas would be much appreciated.
>
> Thanks

Could he not create a new GPO which applies only to a new
OU with only the generic account in it, and apply the more
liberal lockout policy only to that GPO?

>-----Original Message-----
> The only account that can not be locked out [at
least from keyboard],
>is the administrator account. You can change your account
lockout policy,
>but then it wll apply to all users on the computer or all
users in the
>domain. If your account lockout setting is low, you may
want to raise it to
>a higher number like ten. You may also want to
reconfigure lockout setting
>as far as time before you can try logging in again. ---
Steve
>
>"steve" <(E-Mail Removed)> wrote in message
>news:027c01c35b7e$f9602320$(E-Mail Removed)...
>> Does anyone know how to set a user account up so that it
>> can't be locked out? We have a generic account that
many
>> users log into and they are constantly locking it out.
>> Any ideas would be much appreciated.
>>
>> Thanks
>
>
>.
>

No, Password policy is set at the domain level and not
the OU level.

>-----Original Message-----
>Could he not create a new GPO which applies only to a new
>OU with only the generic account in it, and apply the
more
>liberal lockout policy only to that GPO?
>
>>-----Original Message-----
>> The only account that can not be locked out [at
>least from keyboard],
>>is the administrator account. You can change your
account
>lockout policy,
>>but then it wll apply to all users on the computer or
all
>users in the
>>domain. If your account lockout setting is low, you may
>want to raise it to
>>a higher number like ten. You may also want to
>reconfigure lockout setting
>>as far as time before you can try logging in again. ---
>Steve
>>
>>"steve" <(E-Mail Removed)> wrote in
message
>>news:027c01c35b7e$f9602320$(E-Mail Removed)...
>>> Does anyone know how to set a user account up so that
it
>>> can't be locked out? We have a generic account that
>many
>>> users log into and they are constantly locking it out.
>>> Any ideas would be much appreciated.
>>>
>>> Thanks
>>
>>
>>.
>>
>.
>

You're right! How could I forget... still I think he
could create a GPO at domain level, and in the properties
of that GPO, apply it only to that one OU containing the
user in question while NOT allowing it to be applied to
the other groups, ie EVERYONE.. Although MS recommends
you apply GPOs at OU level, you CAN selectively apply GPOs
from the domain level by controlling who/what the GPO
applies to.

>-----Original Message-----
>No, Password policy is set at the domain level and not
>the OU level.
>
>>-----Original Message-----
>>Could he not create a new GPO which applies only to a
new
>>OU with only the generic account in it, and apply the
>more
>>liberal lockout policy only to that GPO?
>>
>>>-----Original Message-----
>>> The only account that can not be locked out [at
>>least from keyboard],
>>>is the administrator account. You can change your
>account
>>lockout policy,
>>>but then it wll apply to all users on the computer or
>all
>>users in the
>>>domain. If your account lockout setting is low, you may
>>want to raise it to
>>>a higher number like ten. You may also want to
>>reconfigure lockout setting
>>>as far as time before you can try logging in again. ---

>>Steve
>>>
>>>"steve" <(E-Mail Removed)> wrote in
>message
>>>news:027c01c35b7e$f9602320$(E-Mail Removed)...
>>>> Does anyone know how to set a user account up so that
>it
>>>> can't be locked out? We have a generic account that
>>many
>>>> users log into and they are constantly locking it out.
>>>> Any ideas would be much appreciated.
>>>>
>>>> Thanks
>>>
>>>
>>>.
>>>
>>.
>>
>.
>

Surely you could apply the more restrictive settings first then apply the
less restrictive and get the desired result using BLOCKING?

"Rob" <(E-Mail Removed)> wrote in message
news:031c01c35b99$239754f0$(E-Mail Removed)...
> You're right! How could I forget... still I think he
> could create a GPO at domain level, and in the properties
> of that GPO, apply it only to that one OU containing the
> user in question while NOT allowing it to be applied to
> the other groups, ie EVERYONE.. Although MS recommends
> you apply GPOs at OU level, you CAN selectively apply GPOs
> from the domain level by controlling who/what the GPO
> applies to.
>
> >-----Original Message-----
> >No, Password policy is set at the domain level and not
> >the OU level.
> >
> >>-----Original Message-----
> >>Could he not create a new GPO which applies only to a
> new
> >>OU with only the generic account in it, and apply the
> >more
> >>liberal lockout policy only to that GPO?
> >>
> >>>-----Original Message-----
> >>> The only account that can not be locked out [at
> >>least from keyboard],
> >>>is the administrator account. You can change your
> >account
> >>lockout policy,
> >>>but then it wll apply to all users on the computer or
> >all
> >>users in the
> >>>domain. If your account lockout setting is low, you may
> >>want to raise it to
> >>>a higher number like ten. You may also want to
> >>reconfigure lockout setting
> >>>as far as time before you can try logging in again. ---
>
> >>Steve
> >>>
> >>>"steve" <(E-Mail Removed)> wrote in
> >message
> >>>news:027c01c35b7e$f9602320$(E-Mail Removed)...
> >>>> Does anyone know how to set a user account up so that
> >it
> >>>> can't be locked out? We have a generic account that
> >>many
> >>>> users log into and they are constantly locking it out.
> >>>> Any ideas would be much appreciated.
> >>>>
> >>>> Thanks
> >>>
> >>>
> >>>.
> >>>
> >>.
> >>
> >.
> >

In normal circumstances for just about all other group policy settings
that would work. However for DOMAIN users, only password/account policies
applied at the domain level will apply - ALL other level of policies will be
ignored, even if inheritance is blocked. They can however apply to local machine
user accounts for those domain machines. -- Steve

"KIWI" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Surely you could apply the more restrictive settings first then apply the
> less restrictive and get the desired result using BLOCKING?
>
> "Rob" <(E-Mail Removed)> wrote in message
> news:031c01c35b99$239754f0$(E-Mail Removed)...
> > You're right! How could I forget... still I think he
> > could create a GPO at domain level, and in the properties
> > of that GPO, apply it only to that one OU containing the
> > user in question while NOT allowing it to be applied to
> > the other groups, ie EVERYONE.. Although MS recommends
> > you apply GPOs at OU level, you CAN selectively apply GPOs
> > from the domain level by controlling who/what the GPO
> > applies to.
> >
> > >-----Original Message-----
> > >No, Password policy is set at the domain level and not
> > >the OU level.
> > >
> > >>-----Original Message-----
> > >>Could he not create a new GPO which applies only to a
> > new
> > >>OU with only the generic account in it, and apply the
> > >more
> > >>liberal lockout policy only to that GPO?
> > >>
> > >>>-----Original Message-----
> > >>> The only account that can not be locked out [at
> > >>least from keyboard],
> > >>>is the administrator account. You can change your
> > >account
> > >>lockout policy,
> > >>>but then it wll apply to all users on the computer or
> > >all
> > >>users in the
> > >>>domain. If your account lockout setting is low, you may
> > >>want to raise it to
> > >>>a higher number like ten. You may also want to
> > >>reconfigure lockout setting
> > >>>as far as time before you can try logging in again. ---
> >
> > >>Steve
> > >>>
> > >>>"steve" <(E-Mail Removed)> wrote in
> > >message
> > >>>news:027c01c35b7e$f9602320$(E-Mail Removed)...
> > >>>> Does anyone know how to set a user account up so that
> > >it
> > >>>> can't be locked out? We have a generic account that
> > >>many
> > >>>> users log into and they are constantly locking it out.
> > >>>> Any ideas would be much appreciated.
> > >>>>
> > >>>> Thanks
> > >>>
> > >>>
> > >>>.
> > >>>
> > >>.
> > >>
> > >.
> > >
>
>

First of all, thanks to everyone for the feedback. I want
to see what you think of this idea.

Since the lockout policy comes from the Default Domain
Policy GPO, what if I explictly deny the Apply Policy
setting to that account in the security properties for
that GPO?

>-----Original Message-----
> In normal circumstances for just about all other
group policy settings
>that would work. However for DOMAIN users, only
password/account policies
>applied at the domain level will apply - ALL other level
of policies will be
>ignored, even if inheritance is blocked. They can however
apply to local machine
>user accounts for those domain machines. -- Steve
>
>"KIWI" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> Surely you could apply the more restrictive settings
first then apply the
>> less restrictive and get the desired result using
BLOCKING?
>>
>> "Rob" <(E-Mail Removed)> wrote in message
>> news:031c01c35b99$239754f0$(E-Mail Removed)...
>> > You're right! How could I forget... still I think he
>> > could create a GPO at domain level, and in the
properties
>> > of that GPO, apply it only to that one OU containing
the
>> > user in question while NOT allowing it to be applied
to
>> > the other groups, ie EVERYONE.. Although MS
recommends
>> > you apply GPOs at OU level, you CAN selectively apply
GPOs
>> > from the domain level by controlling who/what the GPO
>> > applies to.
>> >
>> > >-----Original Message-----
>> > >No, Password policy is set at the domain level and
not
>> > >the OU level.
>> > >
>> > >>-----Original Message-----
>> > >>Could he not create a new GPO which applies only to
a
>> > new
>> > >>OU with only the generic account in it, and apply
the
>> > >more
>> > >>liberal lockout policy only to that GPO?
>> > >>
>> > >>>-----Original Message-----
>> > >>> The only account that can not be locked out
[at
>> > >>least from keyboard],
>> > >>>is the administrator account. You can change your
>> > >account
>> > >>lockout policy,
>> > >>>but then it wll apply to all users on the computer
or
>> > >all
>> > >>users in the
>> > >>>domain. If your account lockout setting is low,
you may
>> > >>want to raise it to
>> > >>>a higher number like ten. You may also want to
>> > >>reconfigure lockout setting
>> > >>>as far as time before you can try logging in
again. ---
>> >
>> > >>Steve
>> > >>>
>> > >>>"steve" <(E-Mail Removed)> wrote in
>> > >message
>> > >>>news:027c01c35b7e$f9602320$(E-Mail Removed)...
>> > >>>> Does anyone know how to set a user account up so
that
>> > >it
>> > >>>> can't be locked out? We have a generic account
that
>> > >>many
>> > >>>> users log into and they are constantly locking
it out.
>> > >>>> Any ideas would be much appreciated.
>> > >>>>
>> > >>>> Thanks
>> > >>>
>> > >>>
>> > >>>.
>> > >>>
>> > >>.
>> > >>
>> > >.
>> > >
>>
>>
>
>
>.
>

According to the following article what you are proposing should work
(unless I'm misunderstanding what you are trying to do)

http://support.microsoft.com/default...b;en-us;315675


"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:EvWYa.101206$YN5.69586@sccrnsc01...
> Again I do not believe that will work. If you test it and find otherwise
please post
> your results. --- Steve
>
> "steve" <(E-Mail Removed)> wrote in message
> news:0e3f01c35c23$ef2a1870$(E-Mail Removed)...
> > First of all, thanks to everyone for the feedback. I want
> > to see what you think of this idea.
> >
> > Since the lockout policy comes from the Default Domain
> > Policy GPO, what if I explictly deny the Apply Policy
> > setting to that account in the security properties for
> > that GPO?
> >
> > >-----Original Message-----
> > > In normal circumstances for just about all other
> > group policy settings
> > >that would work. However for DOMAIN users, only
> > password/account policies
> > >applied at the domain level will apply - ALL other level
> > of policies will be
> > >ignored, even if inheritance is blocked. They can however
> > apply to local machine
> > >user accounts for those domain machines. -- Steve
> > >
> > >"KIWI" <(E-Mail Removed)> wrote in message
> > >news:(E-Mail Removed)...
> > >> Surely you could apply the more restrictive settings
> > first then apply the
> > >> less restrictive and get the desired result using
> > BLOCKING?
> > >>
> > >> "Rob" <(E-Mail Removed)> wrote in message
> > >> news:031c01c35b99$239754f0$(E-Mail Removed)...
> > >> > You're right! How could I forget... still I think he
> > >> > could create a GPO at domain level, and in the
> > properties
> > >> > of that GPO, apply it only to that one OU containing
> > the
> > >> > user in question while NOT allowing it to be applied
> > to
> > >> > the other groups, ie EVERYONE.. Although MS
> > recommends
> > >> > you apply GPOs at OU level, you CAN selectively apply
> > GPOs
> > >> > from the domain level by controlling who/what the GPO
> > >> > applies to.
> > >> >
> > >> > >-----Original Message-----
> > >> > >No, Password policy is set at the domain level and
> > not
> > >> > >the OU level.
> > >> > >
> > >> > >>-----Original Message-----
> > >> > >>Could he not create a new GPO which applies only to
> > a
> > >> > new
> > >> > >>OU with only the generic account in it, and apply
> > the
> > >> > >more
> > >> > >>liberal lockout policy only to that GPO?
> > >> > >>
> > >> > >>>-----Original Message-----
> > >> > >>> The only account that can not be locked out
> > [at
> > >> > >>least from keyboard],
> > >> > >>>is the administrator account. You can change your
> > >> > >account
> > >> > >>lockout policy,
> > >> > >>>but then it wll apply to all users on the computer
> > or
> > >> > >all
> > >> > >>users in the
> > >> > >>>domain. If your account lockout setting is low,
> > you may
> > >> > >>want to raise it to
> > >> > >>>a higher number like ten. You may also want to
> > >> > >>reconfigure lockout setting
> > >> > >>>as far as time before you can try logging in
> > again. ---
> > >> >
> > >> > >>Steve
> > >> > >>>
> > >> > >>>"steve" <(E-Mail Removed)> wrote in
> > >> > >message
> > >> > >>>news:027c01c35b7e$f9602320$(E-Mail Removed)...
> > >> > >>>> Does anyone know how to set a user account up so
> > that
> > >> > >it
> > >> > >>>> can't be locked out? We have a generic account
> > that
> > >> > >>many
> > >> > >>>> users log into and they are constantly locking
> > it out.
> > >> > >>>> Any ideas would be much appreciated.
> > >> > >>>>
> > >> > >>>> Thanks
> > >> > >>>
> > >> > >>>
> > >> > >>>.
> > >> > >>>
> > >> > >>.
> > >> > >>
> > >> > >.
> > >> > >
> > >>
> > >>
> > >
> > >
> > >.
> > >
>
>

The article refers to GPO filtering for user configuration of Group Policy.
Account policy is computer configuration. Even if you try to add a computer to the
deny apply for the GPO and log onto the domain from that computer the domain account
policies will prevail. --- Steve

"KIWI" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> According to the following article what you are proposing should work
> (unless I'm misunderstanding what you are trying to do)
>
> http://support.microsoft.com/default...b;en-us;315675
>
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:EvWYa.101206$YN5.69586@sccrnsc01...
> > Again I do not believe that will work. If you test it and find otherwise
> please post
> > your results. --- Steve
> >
> > "steve" <(E-Mail Removed)> wrote in message
> > news:0e3f01c35c23$ef2a1870$(E-Mail Removed)...
> > > First of all, thanks to everyone for the feedback. I want
> > > to see what you think of this idea.
> > >
> > > Since the lockout policy comes from the Default Domain
> > > Policy GPO, what if I explictly deny the Apply Policy
> > > setting to that account in the security properties for
> > > that GPO?
> > >
> > > >-----Original Message-----
> > > > In normal circumstances for just about all other
> > > group policy settings
> > > >that would work. However for DOMAIN users, only
> > > password/account policies
> > > >applied at the domain level will apply - ALL other level
> > > of policies will be
> > > >ignored, even if inheritance is blocked. They can however
> > > apply to local machine
> > > >user accounts for those domain machines. -- Steve
> > > >
> > > >"KIWI" <(E-Mail Removed)> wrote in message
> > > >news:(E-Mail Removed)...
> > > >> Surely you could apply the more restrictive settings
> > > first then apply the
> > > >> less restrictive and get the desired result using
> > > BLOCKING?
> > > >>
> > > >> "Rob" <(E-Mail Removed)> wrote in message
> > > >> news:031c01c35b99$239754f0$(E-Mail Removed)...
> > > >> > You're right! How could I forget... still I think he
> > > >> > could create a GPO at domain level, and in the
> > > properties
> > > >> > of that GPO, apply it only to that one OU containing
> > > the
> > > >> > user in question while NOT allowing it to be applied
> > > to
> > > >> > the other groups, ie EVERYONE.. Although MS
> > > recommends
> > > >> > you apply GPOs at OU level, you CAN selectively apply
> > > GPOs
> > > >> > from the domain level by controlling who/what the GPO
> > > >> > applies to.
> > > >> >
> > > >> > >-----Original Message-----
> > > >> > >No, Password policy is set at the domain level and
> > > not
> > > >> > >the OU level.
> > > >> > >
> > > >> > >>-----Original Message-----
> > > >> > >>Could he not create a new GPO which applies only to
> > > a
> > > >> > new
> > > >> > >>OU with only the generic account in it, and apply
> > > the
> > > >> > >more
> > > >> > >>liberal lockout policy only to that GPO?
> > > >> > >>
> > > >> > >>>-----Original Message-----
> > > >> > >>> The only account that can not be locked out
> > > [at
> > > >> > >>least from keyboard],
> > > >> > >>>is the administrator account. You can change your
> > > >> > >account
> > > >> > >>lockout policy,
> > > >> > >>>but then it wll apply to all users on the computer
> > > or
> > > >> > >all
> > > >> > >>users in the
> > > >> > >>>domain. If your account lockout setting is low,
> > > you may
> > > >> > >>want to raise it to
> > > >> > >>>a higher number like ten. You may also want to
> > > >> > >>reconfigure lockout setting
> > > >> > >>>as far as time before you can try logging in
> > > again. ---
> > > >> >
> > > >> > >>Steve
> > > >> > >>>
> > > >> > >>>"steve" <(E-Mail Removed)> wrote in
> > > >> > >message
> > > >> > >>>news:027c01c35b7e$f9602320$(E-Mail Removed)...
> > > >> > >>>> Does anyone know how to set a user account up so
> > > that
> > > >> > >it
> > > >> > >>>> can't be locked out? We have a generic account
> > > that
> > > >> > >>many
> > > >> > >>>> users log into and they are constantly locking
> > > it out.
> > > >> > >>>> Any ideas would be much appreciated.
> > > >> > >>>>
> > > >> > >>>> Thanks
> > > >> > >>>
> > > >> > >>>
> > > >> > >>>.
> > > >> > >>>
> > > >> > >>.
> > > >> > >>
> > > >> > >.
> > > >> > >
> > > >>
> > > >>
> > > >
> > > >
> > > >.
> > > >
> >
> >
>
>