Default Domain Policy override

[Guest]

Running a Win2k AD environment. Account Policy is set at
the Default Domain Policy level with Account Lockout
occurring after 5 Invalid attempts, 30 min lockout
duration.

There is an exclusion group that has the Deny permission
set for the Apply Group Policy permission for the Default
Domain Policy. Members of this group should not be able
to lock their accounts out yet they are still managing to
do it. There is no other Account Policy set via group
policy "lower" in the processing order. Users are
logging on to the domain, not locally.

My question is, Is there a default Account Lockout Policy
applied in the absence of one being defined? If so,
what/where is this value so that I might change it?

 

[Tim Hines [MSFT]]

There is only one password policy per domain that applies to all users in
the domain. You cannot make users exempt from the domain account settings.
I've included a few articles about account settings below.

255550 Configuring Account Policies in Active Directory
http://support.microsoft.com/?id=255550

221930 Domain Security Policy in Windows 2000
http://support.microsoft.com/?id=221930

--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.