Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2008-12-16) Why GPOs With Password And Account Lockout Policy Settings Must Be Linked To The AD Domain Object To Be Affective On AD Domain User Accounts

Posted by Jorge on 2008-12-16


In the newsgroups I still see questions about how people can leverage GPOs and configure password and account lockout policy settings and link that GPO to some OU so that the configured password and account lockout policy settings only apply to the users in that OU. I would expect this to be common knowledge by now, but apparently it is not. So please repeat after me and say:

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

By default, only ONE password and account lockout policy can exist in each AD domain through the use of GPOs…

That should do it! Be aware though that Windows Server 2008 AD supports MULTIPLE password and account lockout policies! However, that is NOT done through GPOs, but rather through Password Settings Objects (PSOs). You can read more about this here and here.

So, now to answer the question "WHY????"

Password and account lockout policies are in the COMPUTER part of a GPO, so that automatically means that ONLY computers can process those settings and not users. With computers that means DC/Servers/Clients. When processed by servers/clients, because it is linked to ANY OU in the AD domain or the AD domain object, then it will only affect the local accounts on each of those servers or clients. So when configuring a GPO with the "password and account lockout policy" settings and linking that GPO to an OU AND if that OU contains computers, each computer in that OU will process those settings and it will affect only the accounts on those computers. When processed by DCs then it will affect the domain accounts in the AD domain.

The password and account lockout policy settings are processed by the DC that hosts the PDC FSMO which will write the data into some attributes on the domain object. Those attribute values then replicate to other DCs in the same AD domain and those DCs use that information to enforce those settings on domain user accounts.

Easily said: computers process password and account lockout policy settings in GPOs and those settings only have affect on users managed by those computers.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

3 Responses to “(2008-12-16) Why GPOs With Password And Account Lockout Policy Settings Must Be Linked To The AD Domain Object To Be Affective On AD Domain User Accounts”

  1. Hi,

    I’m seeing a strange issue that might be related:
    a customer has implemented one W2K8 DC in a domain that otherwise contains only W2K3 DCs. They changed the account lockout threshold from 10 to 15. But even after several days accounts still get locked out after 10 attempts (Bad Pwd Count as seen in lockoutstatus tool).
    As far as I know the PDC emulator is responsible for “implementing” the settings in the domain. In this case the PDC is the W2K8 machine. Could it be that W2K8 has an issue implementing these “old-style” policies?

    How can I verify the actual settings?

    Greetings,
    Christoph

  2. […] Why GPOs with Password and Account Lockout Policy Settings must be linked to the AD domain object to… […]

  3. […] Why GPOs With Password And Account Lockout Policy Settings Must Be Linked To The AD Domain Object To… […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: