How to configure account policies in Active Directory

This article was previously published under Q255550
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
This article has been archived. It is offered "as is" and will no longer be updated.
This article describes how to configure account policies in the Active Directory directory service. When you configure account policies (such as password policy and account lockout policy) in Active Directory, Microsoft Windows 2000 permits only one domain account policy per domain. Group Policy settings that are associated with one domain do not automatically propagate to the other domains in the forest. To associate Group Policy settings from one domain to another domain, the domains must be explicitly linked.
There is an exception to the Windows 2000 rule that permits only one account policy per domain. You can configure another account policy for an organizational unit. The account policy settings for an organizational unit affect the local policies on computers that are contained in that organizational unit. For example, if a Windows 2000-based workstation is in an organizational unit that is named OU1, an administrator can create a Group Policy object for OU1 and specify account policy settings that are different from those of the default domain policy. In this case, when a user logs on to the domain, the account policy settings from the default domain policy are in place. When a user logs on locally to the Windows 2000-based workstation, the local account policies, as defined by the Group Policy object for OU1, are used.

Note Because domain controllers do not have local accounts as servers and workstations do, account policies that are defined in the default domain controller's organizational unit have no effect. Windows Server 2008 introduces Fine-Grained Password Policies that allow for more precise control of account policy settings. For more information visit the following Microsoft Web site:

For additional information about Domain Security Policy, click the following article number to view the article in the Microsoft Knowledge Base:
221930 Domain security policy in Windows 2000

Note Domain controllers obtain account policies only from the domain container. This behavior occurs because domain controllers share the domain accounts database, and therefore the policies must be consistent across all domain controllers.

For additional information about Group Policy application rules, click the following article number to view the article in the Microsoft Knowledge Base:
259576 Group Policy application rules for domain controllers


Article ID: 255550 - Last Review: 12/05/2015 18:53:35 - Revision: 4.2

Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Server, Microsoft Windows 2000 Professional Edition

  • kbnosurvey kbarchive kbinfo KB255550