question about gpo policies

Z3-MasterdZ3-Masterd Member Posts: 61 ■■□□□□□□□□
Hey guys,

Maybe someone can help me out here. I applied a GPO to the domain that has an account lockout threshold of 3. Then I applied a GPO to a particular OU that has NO account lockout. Whenever I try to login with an account in that OU, I get locked out after 3 invalids. I thought OU lvl GPOs were supposed to override domain lvl GPOs ? Is that not the case with account lockout policies ?

Comments

  • CessationCessation Member Posts: 326
    Z3-Masterd wrote:
    Hey guys,

    Maybe someone can help me out here. I applied a GPO to the domain that has an account lockout threshold of 3. Then I applied a GPO to a particular OU that has NO account lockout. Whenever I try to login with an account in that OU, I get locked out after 3 invalids. I thought OU lvl GPOs were supposed to override domain lvl GPOs ? Is that not the case with account lockout policies ?

    If i remember correctly you need to block the inheritance on that gpo i believe. (so it would basically block the domain wide gpo lockout policy)
    Sorry if this doesn't make sence... Cant sleep after I woke up at 3:30 icon_sad.gif
    Good luck,
    Cess
    A+, MCP(270,290), CCNA 2008.
    Working back on my CCNA and then possibly CCNP.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    That's because you can only have one password policy per domain, and it has to be set at the domain level. If you set a different password policy on an OU, it only applies to local accounts on computers in that OU, not domain accounts.

    http://www.techexams.net/forums/viewtopic.php?t=20733
    All things are possible, only believe.
  • AnthonyJD81AnthonyJD81 Member Posts: 187
    Z3-Masterd wrote:
    I thought OU lvl GPOs were supposed to override domain lvl GPOs ? Is that not the case with account lockout policies ?

    The scope of management for group policy can be somewhat tricky. Keep in mind that policies are applied first at the local machine, then site, domain, and finally OU (and child OU's if existing). Higher level overrides lower level. However, with domain user accounts, only one password policy may exist per domain. This is by design and cannot be altered.

    Local user accounts on computers can have manage password policies per OU using group policy however.
Sign In or Register to comment.