I am trying to apply account policy (password + account lockout) for selected domain users.
- Created a group and included the users into this group (GroupA).
- In “Default Domain Policy” which is applied at the domain level (top most), I have edited the security setting of the policy as follows:
- For “Authenticated Users”, “Read” is checked but “Apply Group Policy” is not checked.
- For “GroupA”, “Read” and “Apply Group Policy” is checked.
- Sufficient time given for replication. Also used gpupdate /force. Also rebooted the domain controllers.
However, when I purposely type the wrong password, the account (which is a member of GroupA) does not get locked. FYI, I am using Windows 2003 R2 SP2 as my domain controllers. Do I have to maintain “Authenticated Users” for the policy for it to work? Also, I used the ADSIedit tool to check and found that the parameter “lockThreshold” at the domain level (top most) is set to “0”. Any idea why my policy is not applying? I have referred to these forums for information as well and followed accordingly but it does not work.