RSoP Lockout Account

[Guest]

Hi

I'm trying to aply a GPO to an OU that contains computers, i want to be able
to make any user in those computers have their account lookout after 3
atempts.
I created the GPO on the computers OU that i created.
I aplyed the settings i want.
The default setting of 0 atempts was removed from the defaut domain policy
The RSoP says that a test user i chose in another OU loging on one of the
computers will have the policy enforced.
But when i try it for real, it does'nt work.


Server Windows Server 2003 SP1
PC Windows XP Pro SP1


What could be the problem???

Thanks in advance

RG

 

[Ken B]

You can have only one password / lockout policy per domain. It goes
hand-in-hand with the saying "A chain is only as strong as its weakest
link"... the point of the domain is to make a unified security structure.
Wouldn't make sense to have a weaker policy in effect for part of the domain
than another part.

hth,

Ken

 

[Guest]

I've been having this exact problem for weeks now, I've been searching and
digging through all sorts of documents, white papers etc but would be abit
dissapointed if this is the reason why my lockout threshold policy is
applying to users within an OU.

I only have one domain on my AD schema, so how can I carryout testing for
security policies if I cant implement any security GPs on OUs within that
domain? For example, how can I test what will happen when I set the MS
password complexity GP to users when some of them dont even have passwords on
their accounts, when they login will it force them to use change it?

Any extra advice or links on applying GPs from the Security Policies section
of a GPO would be very useful, as this is the first time I've read they can
only be applied at domain level, I'm also very surprised that MS tools such
as RSoP show configured security policies (eg lockout threshold) within a GPO
applied only to an OU will apply to specified users even though they wont?

Thks, Alan

 

[Darren Mar-Elia]

Account Policy, or more specifically any items within Computer
Configuration\Windows Settings\Security Settings\Account Policies, for
*domain accounts* (i.e. not local workstation or member server accounts) can
only be deployed from a GPO linked at the domain level and there can be only
one account policy per domain for *domain user accounts*. That being said,
you can have a different account policy, linked to an OU that affects
*local* user accounts on the workstations and member servers in those OUs
differently, and you could probably achieve your testing goals using local
accounts instead of domain ones.

In the future, rumor has it that Longhorn server will support multiple
account policies per domain, but again, I haven't seen that in writing yet.


Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
Check it out at http://www.microsoft.com/mspress/books/8763.asp

 

[Guest]

Thanks for that Mar-Elia, but I just find it quite unbelievable that such a
massive drawback in the whole AD schema is hardly written about or discuused
in MS press, documents, guides etc, especially when MS tools like RSoP
incorrectly report that Account Policies for GPOs applied to OUs will apply!

 

[Darren Mar-Elia]

Alan-
Actually, its quite well documented! There's at least one KB article I know
about and its probably one of the more frequently discussed topics on this
newsgroup and elsewhere.

As far as the RSOP reference, I'm assuming you're running RSOP logging
rather than modeling? Given that, it makes sense as to what you're seeing.
When you run RSOP logging against a workstation, for example, what you will
see is the policy that is being delivered to that workstation. In the case
of account policy, linked to an OU, you are seeing the correct
information--the account policy FOR THAT MACHINE is being reported correctly
by RSOP. That means that any local accounts on that machine will follow that
OU-linked account policy. If you ran RSOP against a Domain Controller, which
are the only boxes that process DOMAIN account policy, you would see the
account policy for domain user accounts.

Of course, all that doesn't make the issue any easier to accept .

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
Check it out at http://www.microsoft.com/mspress/books/8763.asp

 

[Bruce Sanderson]

Well, what you see as a "massive drawback" I see as a huge benefit. The
major part of the Domain concept is a unified and enforced security regime.
One of the most vulnerable (technical) part of security is passwords, so
having the same password policy enforced for all User accounts in the domain
is an important feature.

Testing and experimenting in a "Production" environment is not usually a
good thing to do anyway.

The password policy is enforced by the computer (i.e. a domain controller
for domain accounts) that "owns" the user account at the time a password is
changed, not when the user account is authenticated by that computer. So
changing the password policy in an OU that does not apply to domain
controllers won't have any affect on domain user accounts. Existing
passwords are not affected when the password policy is modified (e.g.
complexity requirement turned on).

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.