Account Lockout Policy

Home Forums Microsoft Networking and Management Services GPO Account Lockout Policy

This topic contains 4 replies, has 2 voices, and was last updated by Avatar Kobe 310 6 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
  • Avatar
    Kobe 310

    I have TS’s and computers that are joined to my domain. There are settings in computer configuration that are different than user configuration. I’ve never understood how to set a policy to a computer or TS when the policy that i need is located on the computer configuration.

    I’m trying to apply the policy in Computer Configuration>Windows Settings>Security Settings>Account Policies>Account Lockout Policy>Account Lockout Threshold to 3. This doesn’t work on the computers. Not sure what i need to do.

    Also, I’ve read about loopback policy, and in this article from Microsoft, this is what it says.

    1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
    2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.

    now when i type in mmc, Computer Configuration, Administrative>Templates>System>Group Policy, there is no Loopback Policy. From my understanding i can get some of the computer polices to apply to users.

    Any ideas



    Firstly, the account lockout and password policies only apply with domain and local GPOs – you can set them in Site and OU ones, but they do not apply. If you need to have more granular policies, you can use security filtering (slow) or Fine Grained Password Policies – difficult depending on the operating system on your DCs

    Second, the loopback policy.
    Have a good read of and the follow up article. You should see it where you are looking – if not, change DC and recheck. You need to understand how loopback works and the two modes (merge or replace) before you can start using it.

    What is your domain FL and what OS are the DCs (and TSes)?

    Kobe 310

    Thanks for your post Ossian. Been out of the office. Great article, thanks.

    Not sure what Domain FL is. DC is 2016, TS is 2008R2, and 2016.

    I tried to write this as exact as i could, definitely too some time!!!, Did a little color coding hoping to make it easier and a little more understandable.

    I’ve read several articles on GPO’s and the common explanation is that the lowest number wins. (1,2,3,4,5) However, in these diffent articles, they all come across as if 5 would be a lower number than 1. In that article you gave me , the last processed policy would be the child OU. To me that would be the higher number because it wasn’t the first policy ran. What runs first would be 1(Site), second would be 2(Domain) etc. Not sure if i’m understanding this correctly.

    In ALOT of testing, i’ve been turning certain policies on , using test user accounts and my user account to see if they would apply. Some times they do, but other times they don’t. i can’t seem to put my finger on it because there have been times where a policy won’t take until an hour later………so from the very first time it took a policy to take an hour, all of the writing down as i did in what worked and what didn’t, i ended up scratching out on my notepad most of what i thought didn’t work, because one did after an hour . So it’s almost impossible to figure this out. I was hoping you could clear the cob webs out a little with a few questions. My DC is server 2016

    I’ve had for several years a GPO called Desktop Lockdown this GPO is for TS users only which i learned how to do from Trainsignal CD’s . This Desktop Lockdown GPO is applied directly to an OU called Company Users(It was the 1st OU of the domain, and still the main OU today) Within this OU are Sub OU’s Created according to employee location(City or Street ). Within the employee location OU,s are (assuming they would be called child OU’s) are Dept. OU’s.

    In this Desktop Lockdown GPO i disallow access to most functions of the server….ex. removing the power off button, clipboard, remove C:, Set time limits for disconnected sessions etc. It worked fine( ON SERVER 2008R2, and 2016)until i decided to figure out how to add a Printer GPO to apply to a specific Sub or Child OU ( Assuming child OU is within a sub OU in which the sub OU is within the Parent OU, which i’m Assuming is the OU called Company Users as mentioned above. )….

    Looks like this

    [ATTACH=JSON]{“alt”:”Click image for larger version Name:tPetri.jpg Views:t1 Size:t165.0 KB ID:t518497″,”data-align”:”none”,”data-attachmentid”:”518497″,”data-size”:”custom”,”height”:”687″,”width”:”1219″}[/ATTACH]

    Under Precedence, in Group Policy Inheritence, as shown above, I’m not sure which one wins?? In linked Group Policy Objects only 1st Floor Dental Printer is linked. Desktop Lockdown, is not. I would think it would be, assuming its a child OU of Company Users?


    Under the IT OU, using my credentials, and using 2016 server the 1st Floor Dental Printer GPO Works, , I get the printer, I also can use the search bar. but if i log into server 2008 using my credentials, the printer works but i can’t use the search bar

    Under the Test OU, using the test credentials, the 1st Floor Dental Printer GPO Works I get the printer, I also can use the search bar, but if i log into server 2008 using the test credentials, the printer doesn’t, and i can’t use the search bar.

    Also, in the 1st Floor Dental Printer GPO, it’s added under User Configuration>Control Panel Settings>Printers. I share the printer, use the Common Tab>Item Level Targeting>Targeting Tab>New Iem>Security Group. I add the group that will use the printer.
    – The Test credential not added to that Security Group will Not get the printer logging into 2008, but will logging into 2016.

    Nothing is consistent here, just fricking confusing. gpupdate /force is done on all machines before logging in.

    Also, under the Desktop Lockdown GPO, if i Select Computer Configuraton>Policies>Window Settings>Security Settings>>Account Policies and set Account Lockout Policy to 1, it doesn’t work. If i set the same under Default Domain Policy, it works.

    I’ve read alot, of articles, but it just seems that Nothing is consistent here , and of course i can’t move forward until i figure this out.



    I’ll respond fully tomorrow when I am awake, but for the last section, as I said previously:

    Password and Lockout policies ONLY apply if they are in a domain level GPO, so you are seeing correct behaviour. Yes, you can set it in an OU or site GPO, but it never, ever applies

    Kobe 310

    Ok Thanks Ossian!

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.