Problems applying account lockout to VPN logins

[Bloke at the pennine puddle (Replace n.a.v.d with]

Here is an interesting puzzle.

I wish to allow users to login by VPN, but after 2 bad attempts the
account gets locked out for 30 minutes.

I have created a group and the dial-in users are in that group and
have to belong to that group to connect.

The group and users are in an OU with a compulter account policy set
to lockout after 2 bad logins and the attripute for the group policy
is set to `no overide`.

I have issued the famous `gpupdate /force` to apply the policy. Yes,
it's Windows 2003, but I can't find a corresponding group and this one
is the closest.

The problem is that the account lockout never happens. Is this a bug,
by design, or am I doing something wrong?

Can some Ad guru assist please?

 

[Matjaz Ladava [MVP]]

Account policies are only set at domain level. Setting them on OU level
won't have any effect on domain users.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

"Bloke at the pennine puddle (Replace n.a.v.d with vodafone.net.)"

 

[Bloke at the pennine puddle (Replace n.a.v.d with]

Account policies are only set at domain level. Setting them on OU level
won't have any effect on domain users.

So the setting has to apply to every account in the domain?

 

[Matjaz Ladava [MVP]]

Yup.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

"Bloke at the pennine puddle (Replace n.a.v.d with vodafone.net.)"

 

[Bloke at the pennine puddle (Replace n.a.v.d with]

Yup.

That's a little unfair. The is a reason for me wanting to enforce
password security on some accounts and next-to-no security on others.

Never mind....