question about gpo policies

Hey guys,
Maybe someone can help me out here. I applied a GPO to the domain that has an account lockout threshold of 3. Then I applied a GPO to a particular OU that has NO account lockout. Whenever I try to login with an account in that OU, I get locked out after 3 invalids. I thought OU lvl GPOs were supposed to override domain lvl GPOs ? Is that not the case with account lockout policies ?
Maybe someone can help me out here. I applied a GPO to the domain that has an account lockout threshold of 3. Then I applied a GPO to a particular OU that has NO account lockout. Whenever I try to login with an account in that OU, I get locked out after 3 invalids. I thought OU lvl GPOs were supposed to override domain lvl GPOs ? Is that not the case with account lockout policies ?
Comments
If i remember correctly you need to block the inheritance on that gpo i believe. (so it would basically block the domain wide gpo lockout policy)
Sorry if this doesn't make sence... Cant sleep after I woke up at 3:30
Good luck,
Cess
Working back on my CCNA and then possibly CCNP.
http://www.techexams.net/forums/viewtopic.php?t=20733
The scope of management for group policy can be somewhat tricky. Keep in mind that policies are applied first at the local machine, then site, domain, and finally OU (and child OU's if existing). Higher level overrides lower level. However, with domain user accounts, only one password policy may exist per domain. This is by design and cannot be altered.
Local user accounts on computers can have manage password policies per OU using group policy however.