Help on Account Lockout

[Norman Williams]

I am running Windows 2000 sever at two offices. Currently the acount lockout
policy of Group1 is set to 5 tries & lockout duration time of 1 hour,
Group2 is set to 5 tries & 15 minutes.

However, when a user in Group2 is logout, the domain controller reset the
account in 1 hour instead of 15 minutes.
According to the ms support, since the Group1&2 all have "Everyone" as their
build-in members, only one Lockout policy will be apply for both group.
That's should not be the reason.

Any suggestion to solve this problem will be appreciated?

Norman

 

[Paul Bergson]

The only place you can define account definitions is the gpo on the domain
ou. All other definitions apply to the local accounts. My guess is you
have definitions other than on the domain ou.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[rwh]

I agree with Paul. It has always been my understanding that you can
only have 1 domain PW policy set. It sounds like you are trying to
implement 2 PW Policies for the same domain, which is not possible in
Active Directory.

 

[Norman Williams]

thanks for your response. I did try to have 2 password policies for 2 OU in
the same domain. I am going to double check to see if that's possible.


I agree with Paul. It has always been my understanding that you can
only have 1 domain PW policy set. It sounds like you are trying to
implement 2 PW Policies for the same domain, which is not possible in
Active Directory.

 

[Cary Shultz]

No, it is not.

You can have only one password policy per domain. This is one of the
(generally) few good reasons to create a child domain ( a very general
statement ). And this is set at the domain level.

Now, you can indeed set a password policy at the OU level. However, it will
not affect your domain user account objects. It will affect local user
accounts on any machines that might reside directly in that OU, though.
But, you probably do not make use of local accounts ( meaning, accounts that
are not domain user account objects but accounts that reside on the local
machines ).

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)

 

[Norman Williams]

Thanks. Now I can clearly see what is going on. I didn't know the OU
password policy only apply to the local accounts in each computer, this is
useless because usually no local account is used in a domain. Adding another
DC will cost $ and time, I would probablly delegate an OU to a few persons
to manage. that may be the a simple way to solve the account lockout issue.
It will cost a little time to unlock the accounts.

Still, I don't know why microsoft wants to have only one pw policy per
domain. it makes sense to have different pw policies for different users in
a company.

N. Williams


No, it is not.

You can have only one password policy per domain. This is one of the
(generally) few good reasons to create a child domain ( a very general
statement ). And this is set at the domain level.

Now, you can indeed set a password policy at the OU level. However, it will
not affect your domain user account objects. It will affect local user
accounts on any machines that might reside directly in that OU, though.
But, you probably do not make use of local accounts ( meaning, accounts that
are not domain user account objects but accounts that reside on the local
machines ).

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)