Default Domain Policy override



Running a Win2k AD environment. Account Policy is set at
the Default Domain Policy level with Account Lockout
occurring after 5 Invalid attempts, 30 min lockout

There is an exclusion group that has the Deny permission
set for the Apply Group Policy permission for the Default
Domain Policy. Members of this group should not be able
to lock their accounts out yet they are still managing to
do it. There is no other Account Policy set via group
policy "lower" in the processing order. Users are
logging on to the domain, not locally.

My question is, Is there a default Account Lockout Policy
applied in the absence of one being defined? If so,
what/where is this value so that I might change it?

Tim Hines [MSFT]

There is only one password policy per domain that applies to all users in
the domain. You cannot make users exempt from the domain account settings.
I've included a few articles about account settings below.

255550 Configuring Account Policies in Active Directory

221930 Domain Security Policy in Windows 2000

Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
This posting is provided "AS IS" with no warranties, and confers no rights.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question