question about gpo policies

Z3-Masterd

Hey guys,

Maybe someone can help me out here. I applied a GPO to the domain that has an account lockout threshold of 3. Then I applied a GPO to a particular OU that has NO account lockout. Whenever I try to login with an account in that OU, I get locked out after 3 invalids. I thought OU lvl GPOs were supposed to override domain lvl GPOs ? Is that not the case with account lockout policies ?

Cessation

Z3-Masterd wrote:

Hey guys,

Maybe someone can help me out here. I applied a GPO to the domain that has an account lockout threshold of 3. Then I applied a GPO to a particular OU that has NO account lockout. Whenever I try to login with an account in that OU, I get locked out after 3 invalids. I thought OU lvl GPOs were supposed to override domain lvl GPOs ? Is that not the case with account lockout policies ?

If i remember correctly you need to block the inheritance on that gpo i believe. (so it would basically block the domain wide gpo lockout policy)
Sorry if this doesn't make sence... Cant sleep after I woke up at 3:30
Good luck,
Cess

sprkymrk

That's because you can only have one password policy per domain, and it has to be set at the domain level. If you set a different password policy on an OU, it only applies to local accounts on computers in that OU, not domain accounts.

http://www.techexams.net/forums/viewtopic.php?t=20733

AnthonyJD81

Z3-Masterd wrote:

I thought OU lvl GPOs were supposed to override domain lvl GPOs ? Is that not the case with account lockout policies ?

The scope of management for group policy can be somewhat tricky. Keep in mind that policies are applied first at the local machine, then site, domain, and finally OU (and child OU's if existing). Higher level overrides lower level. However, with domain user accounts, only one password policy may exist per domain. This is by design and cannot be altered.

Local user accounts on computers can have manage password policies per OU using group policy however.