How to configure account policies in Active Directory

Article translations Article translations
Article ID: 255550 - View products that this article applies to.
This article was previously published under Q255550
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Expand all | Collapse all

SUMMARY

This article describes how to configure account policies in the Active Directory directory service. When you configure account policies (such as password policy and account lockout policy) in Active Directory, Microsoft Windows 2000 permits only one domain account policy per domain. Group Policy settings that are associated with one domain do not automatically propagate to the other domains in the forest. To associate Group Policy settings from one domain to another domain, the domains must be explicitly linked.

MORE INFORMATION

There is an exception to the Windows 2000 rule that permits only one account policy per domain. You can configure another account policy for an organizational unit. The account policy settings for an organizational unit affect the local policies on computers that are contained in that organizational unit. For example, if a Windows 2000-based workstation is in an organizational unit that is named OU1, an administrator can create a Group Policy object for OU1 and specify account policy settings that are different from those of the default domain policy. In this case, when a user logs on to the domain, the account policy settings from the default domain policy are in place. When a user logs on locally to the Windows 2000-based workstation, the local account policies, as defined by the Group Policy object for OU1, are used.

Note Because domain controllers do not have local accounts as servers and workstations do, account policies that are defined in the default domain controller's organizational unit have no effect. Windows Server 2008 introduces Fine-Grained Password Policies that allow for more precise control of account policy settings. For more information visit the following Microsoft Web site:
AD DS: Fine-Grained Password Policies
http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true


For additional information about Domain Security Policy, click the following article number to view the article in the Microsoft Knowledge Base:
221930 Domain security policy in Windows 2000


Note Domain controllers obtain account policies only from the domain container. This behavior occurs because domain controllers share the domain accounts database, and therefore the policies must be consistent across all domain controllers.

For additional information about Group Policy application rules, click the following article number to view the article in the Microsoft Knowledge Base:
259576 Group Policy application rules for domain controllers

Properties

Article ID: 255550 - Last Review: April 14, 2008 - Revision: 4.2
APPLIES TO
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbinfo KB255550

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com