How can I disable account lockout policy for one user in a Windows domain

windows domain group-policy user-accounts
51,814

Solution 1

As MichelZ, says, your manager is correct if you're on a 2003 domain. Though, regardless of that, I ideally wouldn't want to alter my policy for one single account, either. The real issue is that the service is attempting to log on with an incorrect password.

I'm posting this as an answer because the solution is to stop the issue altogether and figure out why a service is attempting to log in with the wrong password. If it's due to the password expiring then this can be sorted in AD Users and Computers rather than by reconfiguring the password policy:

enter image description here

This is standard practice for service accounts

Solution 2

The real solution is a "Managed service account", when you use the regular accounts or even fine grained passwords and you set it to 'never expire' It's a security leak, with a managed service account the computer is changing the password itself and you don't have to keep track on it. and it's very secure!

Here's a link http://technet.microsoft.com/en-us/library/dd548356.aspx

Solution 3

This is true for Windows Domains below 2008. Since Windows 2008, you can have different policies.

Have a look here: http://www.windowsecurity.com/articles/configuring-granular-password-settings-windows-server-2008-part-1.html

Edit:

Here's a link from Microsoft: http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

Share:
51,814

Related videos on Youtube

Assaf Stone
Author by

Assaf Stone

.NET Developer, Agile enthusiast, Martial Arts (Pakua) practitioner, 41, married, 4 kids and not enough free time to form this as a proper paragraph!

Updated on September 18, 2022

Comments

  • Assaf Stone
    Assaf Stone over 1 year

    My company is running a Windows based domain. The domain has a group policy of locking out a user after several failed log-in attempts, for 5 minutes.

    Unfortunately, this account functions as a service account, and when the account locks out, a major service (Microsoft Team Foundation Server) ceases to function for those 5 minutes.

    According to my IT manager, it is technically impossible, to remove the restriction for just one user account, though I suspect that his unwillingness (which I understand) to break policy is the real issue.

    Could you please tell me if, and how to make an exception to the account policy? It seems to me unlikely that it is technically impossible to create exceptions to rules.

    Disclaimer: I'm aware that having a service account that can log on to the system is a bad idea, but I unfortunately inherited this decision, and reversing it will take time.

  • Assaf Stone
    Assaf Stone about 12 years
    I know I have to resolve the "bigger" issue. First things first, I have to make sure that the system is running and not freezing up and stopping 150 developers from working for 5 minutes (at a time).
  • Dan
    Dan about 12 years
    @AssafStone I know what it's like to diagnose under pressure, but you need to remember that big sweeping policy (Both technical and procedural) changes are definitely never the first step. I know people like to push the business critical angle, but making hacky changes all the time nearly always leads to more issues and longer downtime in the long term. And those hacks never get put right, no matter the intentions of those doing them! But glad I could help, though.
  • Assaf Stone
    Assaf Stone almost 12 years
    Hmmph. Unfortunately it turns out that our domain is 2003. Looks like the IT guy was right for a change...
  • Assaf Stone
    Assaf Stone almost 12 years
    Unfortunately the Managed Service Account doesn't help me with a 2003 server.
  • solefald
    solefald over 2 years
    There are legitimate use cases for disabling lock out on a single account. A significant amount of releases and migrations are not thoroughly tested. And when everyone goes home for the weekend and all hell breaks loose, people watching your network may not be able to get hold of responsible parties until Monday, and they have 2 choices - every 15 minutes keep unlocking this obscure account that no one knows about, because it belongs to a legacy application component that everyone forgot even existed, or disable password lock out until the development gets a chance to take a look at it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Folder Redirection GPO setting desktop but not showing it
Disable Access to Drives for Limited Users in Windows
Local user vs. domain user? What is the right way here?
Using Remote Desktop, connect to a Windows 7 domain user account without first logging on locally?
Group Policy Editor restricting my administrator account?
Removing old domain user files from local machine
Group Policy to disable Printer Preferences
How to set group policy in windows server 2008 domain?
Let users install software without local administrator rights on domain
How to exclude a user from an applied password policy