John Howard - Senior Program Manager in the Hyper-V team at Microsoft

Senior Program Manager, Hyper-V team, Windows Core Operating System Division.

Blogs

Account Lockout Policy cannot be changed and is greyed out

  • Comments 2
  • Likes

I received an email overnight asking about greyed out settings in the local security policy on a newly installed Windows Server 2003 machine. In my group policy session on Tuesday, I was talking around this whole area, and the reason for it is related to probably one of the most commonly misunderstood concepts I find when talking to customers about Group Policy. If you attend just about any sessions on Group Policy, the presenter will tell you that there is only one password policy in a domain. Even if you scope a Group Policy Object (GPO) to an OU which defines password policy, that GPO is affecting local password policy rather than domain level passwords. This is exactly the same with Account Lockout Policy.

So, for example: Start with a freshly installed standalone server running in a workgroup, rather than being domain joined. Run secpol.msc (shortcut for Local Security Policy under Administrative tools). Drill down into Account Policies/Account Lockout Policy and double click Account Lockout Threshold. You will be able to define an appropriate value. However, once you join that machine to a domain, it will now be under the influence of Group Policy. In a default AD installation, you will be picking up settings from the Default Domain Policy. If there is another GPO scoped to the OU containing the computer account also setting the Account Policies, this will override the default domain policy and will be seen through secpol.msc on the member server. Due to the policy coming from Group Policy, you cannot override these settings. You will also note if you look very carefully that the icon for the policy setting changes to a "pair of servers with a scroll" icon indicating that this is from Group Policy. When it was a standalone server, the icon would have been the binary 0's and 1's.

 

 

Comments
  • Windows 2003 server - I have edited the Default Domain Policy - password complexity and password age - I see it is affecting machines in the domain that log on locally. Is there a way to stop this policy from affecting local accounts on local machines?

  • i also have the same problem with the member servers in windows 2003 domain it alwasys effect the local security policy for the members, there is any way to isolate the policy from the domain?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment