Article ID: 255550 - Last Review: April 14, 2008 - Revision: 4.2

How to configure account policies in Active Directory

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q255550
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .
Expand all | Collapse all

SUMMARY

This article describes how to configure account policies in the Active Directory directory service. When you configure account policies (such as password policy and account lockout policy) in Active Directory, Microsoft Windows 2000 permits only one domain account policy per domain. Group Policy settings that are associated with one domain do not automatically propagate to the other domains in the forest. To associate Group Policy settings from one domain to another domain, the domains must be explicitly linked.

MORE INFORMATION

There is an exception to the Windows 2000 rule that permits only one account policy per domain. You can configure another account policy for an organizational unit. The account policy settings for an organizational unit affect the local policies on computers that are contained in that organizational unit. For example, if a Windows 2000-based workstation is in an organizational unit that is named OU1, an administrator can create a Group Policy object for OU1 and specify account policy settings that are different from those of the default domain policy. In this case, when a user logs on to the domain, the account policy settings from the default domain policy are in place. When a user logs on locally to the Windows 2000-based workstation, the local account policies, as defined by the Group Policy object for OU1, are used.

Note Because domain controllers do not have local accounts as servers and workstations do, account policies that are defined in the default domain controller's organizational unit have no effect. Windows Server 2008 introduces Fine-Grained Password Policies that allow for more precise control of account policy settings. For more information visit the following Microsoft Web site:
AD DS: Fine-Grained Password Policies
http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true (http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true)


For additional information about Domain Security Policy, click the following article number to view the article in the Microsoft Knowledge Base:
221930  (http://support.microsoft.com/kb/221930/ ) Domain security policy in Windows 2000


Note Domain controllers obtain account policies only from the domain container. This behavior occurs because domain controllers share the domain accounts database, and therefore the policies must be consistent across all domain controllers.

For additional information about Group Policy application rules, click the following article number to view the article in the Microsoft Knowledge Base:
259576  (http://support.microsoft.com/kb/259576/ ) Group Policy application rules for domain controllers

APPLIES TO
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
Back to the top
Keywords: 
kbinfo KB255550