Microsoft KB Archive/255550

From BetaArchive Wiki
Knowledge Base

How to configure account policies in Active Directory

Article ID: 255550

Article Last Modified on 10/30/2006


  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition

This article was previously published under Q255550


This article describes how to configure account policies in the Active Directory directory service. When you configure account policies (such as password policy and account lockout policy) in Active Directory, Microsoft Windows 2000 permits only one domain account policy per domain. Group Policy settings that are associated with one domain do not automatically propagate to the other domains in the forest. To associate Group Policy settings from one domain to another domain, the domains must be explicitly linked.


There is an exception to the Windows 2000 rule that permits only one account policy per domain. You can configure another account policy for an organizational unit. The account policy settings for an organizational unit affect the local policies on computers that are contained in that organizational unit. For example, if a Windows 2000-based workstation is in an organizational unit that is named OU1, an administrator can create a Group Policy object for OU1 and specify account policy settings that are different from those of the default domain policy. In this case, when a user logs on to the domain, the account policy settings from the default domain policy are in place. When a user logs on locally to the Windows 2000-based workstation, the local account policies, as defined by the Group Policy object for OU1, are used.

Note Because domain controllers do not have local accounts as servers and workstations do, account policies that are defined in the default domain controller's organizational unit have no effect.

For additional information about Domain Security Policy, click the following article number to view the article in the Microsoft Knowledge Base:

221930 Domain security policy in Windows 2000

Note Domain controllers obtain account policies only from the domain container. This behavior occurs because domain controllers share the domain accounts database, and therefore the policies must be consistent across all domain controllers.

For additional information about Group Policy application rules, click the following article number to view the article in the Microsoft Knowledge Base:

259576 Group Policy application rules for domain controllers

Keywords: kbinfo KB255550