(2008-12-16) Why GPOs With Password And Account Lockout Policy Settings Must Be Linked To The AD Domain Object To Be Affective On AD Domain User Accounts

In the newsgroups I still see questions about how people can leverage GPOs and configure password and account lockout policy settings and link that GPO to some OU so that the configured password and account lockout policy settings only apply to the users in that OU. I would expect this to be common knowledge by now, but apparently it is not. So please repeat after me and say:

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

That should do it! Be aware though that Windows Server 2008 AD supports MULTIPLE password and account lockout policies! However, that is NOT done through GPOs, but rather through Password Settings Objects (PSOs). You can read more about this here and here.

So, now to answer the question "WHY????"

Password and account lockout policies are in the COMPUTER part of a GPO, so that automatically means that ONLY computers can process those settings and not users. With computers that means DC/Servers/Clients. When processed by servers/clients, because it is linked to ANY OU in the AD domain or the AD domain object, then it will only affect the local accounts on each of those servers or clients. So when configuring a GPO with the "password and account lockout policy" settings and linking that GPO to an OU AND if that OU contains computers, each computer in that OU will process those settings and it will affect only the accounts on those computers. When processed by DCs then it will affect the domain accounts in the AD domain.

The password and account lockout policy settings are processed by the DC that hosts the PDC FSMO which will write the data into some attributes on the domain object. Those attribute values then replicate to other DCs in the same AD domain and those DCs use that information to enforce those settings on domain user accounts.

Easily said: computers process password and account lockout policy settings in GPOs and those settings only have affect on users managed by those computers.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————