-----Original Message-----
The only account that can not be locked out [at least from keyboard],
is the administrator account. You can change your account lockout policy,
but then it wll apply to all users on the computer or all users in the
domain. If your account lockout setting is low, you may want to raise it to
a higher number like ten. You may also want to reconfigure lockout setting
as far as time before you can try logging in again. --- Steve
steve said:Does anyone know how to set a user account up so that it
can't be locked out? We have a generic account that many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.
Thanks
.
-----Original Message-----
Could he not create a new GPO which applies only to a new
OU with only the generic account in it, and apply the more
liberal lockout policy only to that GPO?
account-----Original Message-----
The only account that can not be locked out [at least from keyboard],
is the administrator account. You can change your
lockout policy,allbut then it wll apply to all users on the computer or
users in the.domain. If your account lockout setting is low, you may want to raise it to
a higher number like ten. You may also want to reconfigure lockout setting
as far as time before you can try logging in again. --- Steve
.
-----Original Message-----
No, Password policy is set at the domain level and not
the OU level.
.-----Original Message-----
Could he not create a new GPO which applies only to a new
OU with only the generic account in it, and apply the more
liberal lockout policy only to that GPO?
account-----Original Message-----
The only account that can not be locked out [at least from keyboard],
is the administrator account. You can change your
lockout policy,allbut then it wll apply to all users on the computer or
users in theStevedomain. If your account lockout setting is low, you may want to raise it to
a higher number like ten. You may also want to reconfigure lockout setting
as far as time before you can try logging in again. ---.Does anyone know how to set a user account up so that it
can't be locked out? We have a generic account that many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.
Thanks
.
Rob said:You're right! How could I forget... still I think he
could create a GPO at domain level, and in the properties
of that GPO, apply it only to that one OU containing the
user in question while NOT allowing it to be applied to
the other groups, ie EVERYONE.. Although MS recommends
you apply GPOs at OU level, you CAN selectively apply GPOs
from the domain level by controlling who/what the GPO
applies to.
-----Original Message-----
No, Password policy is set at the domain level and not
the OU level.
.-----Original Message-----
Could he not create a new GPO which applies only to a new
OU with only the generic account in it, and apply the more
liberal lockout policy only to that GPO?
-----Original Message-----
The only account that can not be locked out [at
least from keyboard],
is the administrator account. You can change your account
lockout policy,
but then it wll apply to all users on the computer or all
users in the
domain. If your account lockout setting is low, you may
want to raise it to
a higher number like ten. You may also want to
reconfigure lockout setting
as far as time before you can try logging in again. ---
Steve
Does anyone know how to set a user account up so that it
can't be locked out? We have a generic account that
many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.
Thanks
.
.
KIWI said:Surely you could apply the more restrictive settings first then apply the
less restrictive and get the desired result using BLOCKING?
Rob said:You're right! How could I forget... still I think he
could create a GPO at domain level, and in the properties
of that GPO, apply it only to that one OU containing the
user in question while NOT allowing it to be applied to
the other groups, ie EVERYONE.. Although MS recommends
you apply GPOs at OU level, you CAN selectively apply GPOs
from the domain level by controlling who/what the GPO
applies to.
-----Original Message-----
No, Password policy is set at the domain level and not
the OU level.
-----Original Message-----
Could he not create a new GPO which applies only to a new
OU with only the generic account in it, and apply the
more
liberal lockout policy only to that GPO?
-----Original Message-----
The only account that can not be locked out [at
least from keyboard],
is the administrator account. You can change your
account
lockout policy,
but then it wll apply to all users on the computer or
all
users in the
domain. If your account lockout setting is low, you may
want to raise it to
a higher number like ten. You may also want to
reconfigure lockout setting
as far as time before you can try logging in again. ---Steve
message
Does anyone know how to set a user account up so that
it
can't be locked out? We have a generic account that
many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.
Thanks
.
.
.
-----Original Message-----
In normal circumstances for just about all other group policy settings
that would work. However for DOMAIN users, only password/account policies
applied at the domain level will apply - ALL other level of policies will be
ignored, even if inheritance is blocked. They can however apply to local machine
user accounts for those domain machines. -- Steve
KIWI said:Surely you could apply the more restrictive settings first then apply the
less restrictive and get the desired result using BLOCKING?
Rob said:You're right! How could I forget... still I think he
could create a GPO at domain level, and in the properties
of that GPO, apply it only to that one OU containing the
user in question while NOT allowing it to be applied to
the other groups, ie EVERYONE.. Although MS recommends
you apply GPOs at OU level, you CAN selectively apply GPOs
from the domain level by controlling who/what the GPO
applies to.
-----Original Message-----
No, Password policy is set at the domain level and not
the OU level.
-----Original Message-----
Could he not create a new GPO which applies only to a
new
OU with only the generic account in it, and apply the
more
liberal lockout policy only to that GPO?
-----Original Message-----
The only account that can not be locked out [at
least from keyboard],
is the administrator account. You can change your
account
lockout policy,
but then it wll apply to all users on the computer or
all
users in the
domain. If your account lockout setting is low, you may
want to raise it to
a higher number like ten. You may also want to
reconfigure lockout setting
as far as time before you can try logging in again. ---
Steve
message
Does anyone know how to set a user account up so that
it
can't be locked out? We have a generic account that
many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.
Thanks
.
.
.
.
Steven L Umbach said:Again I do not believe that will work. If you test it and find otherwise please post
your results. --- Steve
steve said:First of all, thanks to everyone for the feedback. I want
to see what you think of this idea.
Since the lockout policy comes from the Default Domain
Policy GPO, what if I explictly deny the Apply Policy
setting to that account in the security properties for
that GPO?
-----Original Message-----
In normal circumstances for just about all other group policy settings
that would work. However for DOMAIN users, only password/account policies
applied at the domain level will apply - ALL other level of policies will be
ignored, even if inheritance is blocked. They can however apply to local machine
user accounts for those domain machines. -- Steve
Surely you could apply the more restrictive settings first then apply the
less restrictive and get the desired result using BLOCKING?
You're right! How could I forget... still I think he
could create a GPO at domain level, and in the properties
of that GPO, apply it only to that one OU containing the
user in question while NOT allowing it to be applied to
the other groups, ie EVERYONE.. Although MS recommends
you apply GPOs at OU level, you CAN selectively apply GPOs
from the domain level by controlling who/what the GPO
applies to.
-----Original Message-----
No, Password policy is set at the domain level and not
the OU level.
-----Original Message-----
Could he not create a new GPO which applies only to a
new
OU with only the generic account in it, and apply the
more
liberal lockout policy only to that GPO?
-----Original Message-----
The only account that can not be locked out [at
least from keyboard],
is the administrator account. You can change your
account
lockout policy,
but then it wll apply to all users on the computer or
all
users in the
domain. If your account lockout setting is low, you may
want to raise it to
a higher number like ten. You may also want to
reconfigure lockout setting
as far as time before you can try logging in again. ---
Steve
message
Does anyone know how to set a user account up so that
it
can't be locked out? We have a generic account that
many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.
Thanks
.
.
.
.
KIWI said:According to the following article what you are proposing should work
(unless I'm misunderstanding what you are trying to do)
http://support.microsoft.com/default.aspx?scid=kb;en-us;315675
Steven L Umbach said:Again I do not believe that will work. If you test it and find otherwise please post
your results. --- Steve
steve said:First of all, thanks to everyone for the feedback. I want
to see what you think of this idea.
Since the lockout policy comes from the Default Domain
Policy GPO, what if I explictly deny the Apply Policy
setting to that account in the security properties for
that GPO?
-----Original Message-----
In normal circumstances for just about all other
group policy settings
that would work. However for DOMAIN users, only
password/account policies
applied at the domain level will apply - ALL other level
of policies will be
ignored, even if inheritance is blocked. They can however
apply to local machine
user accounts for those domain machines. -- Steve
Surely you could apply the more restrictive settings
first then apply the
less restrictive and get the desired result using
BLOCKING?
You're right! How could I forget... still I think he
could create a GPO at domain level, and in the
properties
of that GPO, apply it only to that one OU containing
the
user in question while NOT allowing it to be applied
to
the other groups, ie EVERYONE.. Although MS
recommends
you apply GPOs at OU level, you CAN selectively apply
GPOs
from the domain level by controlling who/what the GPO
applies to.
-----Original Message-----
No, Password policy is set at the domain level and
not
the OU level.
-----Original Message-----
Could he not create a new GPO which applies only to
a
new
OU with only the generic account in it, and apply
the
more
liberal lockout policy only to that GPO?
-----Original Message-----
The only account that can not be locked out
[at
least from keyboard],
is the administrator account. You can change your
account
lockout policy,
but then it wll apply to all users on the computer
or
all
users in the
domain. If your account lockout setting is low,
you may
want to raise it to
a higher number like ten. You may also want to
reconfigure lockout setting
as far as time before you can try logging in
again. ---
Steve
message
Does anyone know how to set a user account up so
that
it
can't be locked out? We have a generic account
that
many
users log into and they are constantly locking
it out.
Any ideas would be much appreciated.
Thanks
.
.
.
.
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.