User Account Lockout

  • Thread starter Thread starter steve
  • Start date Start date
S

steve

Does anyone know how to set a user account up so that it
can't be locked out? We have a generic account that many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.

Thanks
 
The only account that can not be locked out [at least from keyboard],
is the administrator account. You can change your account lockout policy,
but then it wll apply to all users on the computer or all users in the
domain. If your account lockout setting is low, you may want to raise it to
a higher number like ten. You may also want to reconfigure lockout setting
as far as time before you can try logging in again. --- Steve
 
Could he not create a new GPO which applies only to a new
OU with only the generic account in it, and apply the more
liberal lockout policy only to that GPO?
-----Original Message-----
The only account that can not be locked out [at least from keyboard],
is the administrator account. You can change your account lockout policy,
but then it wll apply to all users on the computer or all users in the
domain. If your account lockout setting is low, you may want to raise it to
a higher number like ten. You may also want to reconfigure lockout setting
as far as time before you can try logging in again. --- Steve

steve said:
Does anyone know how to set a user account up so that it
can't be locked out? We have a generic account that many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.

Thanks


.
 
No, Password policy is set at the domain level and not
the OU level.
-----Original Message-----
Could he not create a new GPO which applies only to a new
OU with only the generic account in it, and apply the more
liberal lockout policy only to that GPO?
-----Original Message-----
The only account that can not be locked out [at least from keyboard],
is the administrator account. You can change your
account
lockout policy,
but then it wll apply to all users on the computer or
all
users in the
domain. If your account lockout setting is low, you may want to raise it to
a higher number like ten. You may also want to reconfigure lockout setting
as far as time before you can try logging in again. --- Steve




.
.
 
You're right! How could I forget... still I think he
could create a GPO at domain level, and in the properties
of that GPO, apply it only to that one OU containing the
user in question while NOT allowing it to be applied to
the other groups, ie EVERYONE.. Although MS recommends
you apply GPOs at OU level, you CAN selectively apply GPOs
from the domain level by controlling who/what the GPO
applies to.
-----Original Message-----
No, Password policy is set at the domain level and not
the OU level.
-----Original Message-----
Could he not create a new GPO which applies only to a new
OU with only the generic account in it, and apply the more
liberal lockout policy only to that GPO?
-----Original Message-----
The only account that can not be locked out [at least from keyboard],
is the administrator account. You can change your
account
lockout policy,
but then it wll apply to all users on the computer or
all
users in the
domain. If your account lockout setting is low, you may want to raise it to
a higher number like ten. You may also want to reconfigure lockout setting
as far as time before you can try logging in again. ---
Steve
Does anyone know how to set a user account up so that it
can't be locked out? We have a generic account that many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.

Thanks


.
.
.
 
Surely you could apply the more restrictive settings first then apply the
less restrictive and get the desired result using BLOCKING?

Rob said:
You're right! How could I forget... still I think he
could create a GPO at domain level, and in the properties
of that GPO, apply it only to that one OU containing the
user in question while NOT allowing it to be applied to
the other groups, ie EVERYONE.. Although MS recommends
you apply GPOs at OU level, you CAN selectively apply GPOs
from the domain level by controlling who/what the GPO
applies to.
-----Original Message-----
No, Password policy is set at the domain level and not
the OU level.
-----Original Message-----
Could he not create a new GPO which applies only to a new
OU with only the generic account in it, and apply the more
liberal lockout policy only to that GPO?

-----Original Message-----
The only account that can not be locked out [at
least from keyboard],
is the administrator account. You can change your account
lockout policy,
but then it wll apply to all users on the computer or all
users in the
domain. If your account lockout setting is low, you may
want to raise it to
a higher number like ten. You may also want to
reconfigure lockout setting
as far as time before you can try logging in again. ---
Steve

Does anyone know how to set a user account up so that it
can't be locked out? We have a generic account that
many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.

Thanks


.

.
.
 
In normal circumstances for just about all other group policy settings
that would work. However for DOMAIN users, only password/account policies
applied at the domain level will apply - ALL other level of policies will be
ignored, even if inheritance is blocked. They can however apply to local machine
user accounts for those domain machines. -- Steve

KIWI said:
Surely you could apply the more restrictive settings first then apply the
less restrictive and get the desired result using BLOCKING?

Rob said:
You're right! How could I forget... still I think he
could create a GPO at domain level, and in the properties
of that GPO, apply it only to that one OU containing the
user in question while NOT allowing it to be applied to
the other groups, ie EVERYONE.. Although MS recommends
you apply GPOs at OU level, you CAN selectively apply GPOs
from the domain level by controlling who/what the GPO
applies to.
-----Original Message-----
No, Password policy is set at the domain level and not
the OU level.

-----Original Message-----
Could he not create a new GPO which applies only to a new
OU with only the generic account in it, and apply the
more
liberal lockout policy only to that GPO?

-----Original Message-----
The only account that can not be locked out [at
least from keyboard],
is the administrator account. You can change your
account
lockout policy,
but then it wll apply to all users on the computer or
all
users in the
domain. If your account lockout setting is low, you may
want to raise it to
a higher number like ten. You may also want to
reconfigure lockout setting
as far as time before you can try logging in again. ---
Steve

message
Does anyone know how to set a user account up so that
it
can't be locked out? We have a generic account that
many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.

Thanks


.

.

.
 
First of all, thanks to everyone for the feedback. I want
to see what you think of this idea.

Since the lockout policy comes from the Default Domain
Policy GPO, what if I explictly deny the Apply Policy
setting to that account in the security properties for
that GPO?
-----Original Message-----
In normal circumstances for just about all other group policy settings
that would work. However for DOMAIN users, only password/account policies
applied at the domain level will apply - ALL other level of policies will be
ignored, even if inheritance is blocked. They can however apply to local machine
user accounts for those domain machines. -- Steve

KIWI said:
Surely you could apply the more restrictive settings first then apply the
less restrictive and get the desired result using BLOCKING?

Rob said:
You're right! How could I forget... still I think he
could create a GPO at domain level, and in the properties
of that GPO, apply it only to that one OU containing the
user in question while NOT allowing it to be applied to
the other groups, ie EVERYONE.. Although MS recommends
you apply GPOs at OU level, you CAN selectively apply GPOs
from the domain level by controlling who/what the GPO
applies to.

-----Original Message-----
No, Password policy is set at the domain level and not
the OU level.

-----Original Message-----
Could he not create a new GPO which applies only to a
new
OU with only the generic account in it, and apply the
more
liberal lockout policy only to that GPO?

-----Original Message-----
The only account that can not be locked out [at
least from keyboard],
is the administrator account. You can change your
account
lockout policy,
but then it wll apply to all users on the computer or
all
users in the
domain. If your account lockout setting is low, you may
want to raise it to
a higher number like ten. You may also want to
reconfigure lockout setting
as far as time before you can try logging in again. ---

Steve

message
Does anyone know how to set a user account up so that
it
can't be locked out? We have a generic account that
many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.

Thanks


.

.

.


.
 
According to the following article what you are proposing should work
(unless I'm misunderstanding what you are trying to do)

http://support.microsoft.com/default.aspx?scid=kb;en-us;315675


Steven L Umbach said:
Again I do not believe that will work. If you test it and find otherwise please post
your results. --- Steve

steve said:
First of all, thanks to everyone for the feedback. I want
to see what you think of this idea.

Since the lockout policy comes from the Default Domain
Policy GPO, what if I explictly deny the Apply Policy
setting to that account in the security properties for
that GPO?
-----Original Message-----
In normal circumstances for just about all other group policy settings
that would work. However for DOMAIN users, only password/account policies
applied at the domain level will apply - ALL other level of policies will be
ignored, even if inheritance is blocked. They can however apply to local machine
user accounts for those domain machines. -- Steve

Surely you could apply the more restrictive settings first then apply the
less restrictive and get the desired result using BLOCKING?

You're right! How could I forget... still I think he
could create a GPO at domain level, and in the properties
of that GPO, apply it only to that one OU containing the
user in question while NOT allowing it to be applied to
the other groups, ie EVERYONE.. Although MS recommends
you apply GPOs at OU level, you CAN selectively apply GPOs
from the domain level by controlling who/what the GPO
applies to.

-----Original Message-----
No, Password policy is set at the domain level and not
the OU level.

-----Original Message-----
Could he not create a new GPO which applies only to a
new
OU with only the generic account in it, and apply the
more
liberal lockout policy only to that GPO?

-----Original Message-----
The only account that can not be locked out [at
least from keyboard],
is the administrator account. You can change your
account
lockout policy,
but then it wll apply to all users on the computer or
all
users in the
domain. If your account lockout setting is low, you may
want to raise it to
a higher number like ten. You may also want to
reconfigure lockout setting
as far as time before you can try logging in again. ---

Steve

message
Does anyone know how to set a user account up so that
it
can't be locked out? We have a generic account that
many
users log into and they are constantly locking it out.
Any ideas would be much appreciated.

Thanks


.

.

.





.
 
The article refers to GPO filtering for user configuration of Group Policy.
Account policy is computer configuration. Even if you try to add a computer to the
deny apply for the GPO and log onto the domain from that computer the domain account
policies will prevail. --- Steve

KIWI said:
According to the following article what you are proposing should work
(unless I'm misunderstanding what you are trying to do)

http://support.microsoft.com/default.aspx?scid=kb;en-us;315675


Steven L Umbach said:
Again I do not believe that will work. If you test it and find otherwise please post
your results. --- Steve

steve said:
First of all, thanks to everyone for the feedback. I want
to see what you think of this idea.

Since the lockout policy comes from the Default Domain
Policy GPO, what if I explictly deny the Apply Policy
setting to that account in the security properties for
that GPO?

-----Original Message-----
In normal circumstances for just about all other
group policy settings
that would work. However for DOMAIN users, only
password/account policies
applied at the domain level will apply - ALL other level
of policies will be
ignored, even if inheritance is blocked. They can however
apply to local machine
user accounts for those domain machines. -- Steve

Surely you could apply the more restrictive settings
first then apply the
less restrictive and get the desired result using
BLOCKING?

You're right! How could I forget... still I think he
could create a GPO at domain level, and in the
properties
of that GPO, apply it only to that one OU containing
the
user in question while NOT allowing it to be applied
to
the other groups, ie EVERYONE.. Although MS
recommends
you apply GPOs at OU level, you CAN selectively apply
GPOs
from the domain level by controlling who/what the GPO
applies to.

-----Original Message-----
No, Password policy is set at the domain level and
not
the OU level.

-----Original Message-----
Could he not create a new GPO which applies only to
a
new
OU with only the generic account in it, and apply
the
more
liberal lockout policy only to that GPO?

-----Original Message-----
The only account that can not be locked out
[at
least from keyboard],
is the administrator account. You can change your
account
lockout policy,
but then it wll apply to all users on the computer
or
all
users in the
domain. If your account lockout setting is low,
you may
want to raise it to
a higher number like ten. You may also want to
reconfigure lockout setting
as far as time before you can try logging in
again. ---

Steve

message
Does anyone know how to set a user account up so
that
it
can't be locked out? We have a generic account
that
many
users log into and they are constantly locking
it out.
Any ideas would be much appreciated.

Thanks


.

.

.





.
 
Back
Top