This article describes how to configure account policies in the Active Directory directory service. When you configure account policies (such as password policy and account lockout policy) in Active Directory, Microsoft Windows 2000 permits only one domain account policy per domain. Group Policy settings that are associated with one domain do not automatically propagate to the other domains in the forest. To associate Group Policy settings from one domain to another domain, the domains must be explicitly linked.
There is an exception to the Windows 2000 rule that permits only one account policy per domain. You can configure another account policy for an organizational unit. The account policy settings for an organizational unit affect the local policies on computers that are contained in that organizational unit. For example, if a Windows 2000-based workstation is in an organizational unit that is named OU1, an administrator can create a Group Policy object for OU1 and specify account policy settings that are different from those of the default domain policy. In this case, when a user logs on to the domain, the account policy settings from the default domain policy are in place. When a user logs on locally to the Windows 2000-based workstation, the local account policies, as defined by the Group Policy object for OU1, are used.
Note Because domain controllers do not have local accounts as servers and workstations do, account policies that are defined in the default domain controller's organizational unit have no effect. Windows Server 2008 introduces Fine-Grained Password Policies that allow for more precise control of account policy settings. For more information visit the following Microsoft Web site:
Note Domain controllers obtain account policies only from the domain container. This behavior occurs because domain controllers share the domain accounts database, and therefore the policies must be consistent across all domain controllers.
For additional information about Group Policy application rules, click the following article number to view the article in the Microsoft Knowledge Base:
259576 Group Policy application rules for domain controllers