Domain password policy issues

[dfresh]

Hi all, Hope you had a good Thanksgiving.

So my issue is with the Domain Password Policy. I created a policy for our password settings. We applied it a couple days ago and all seemed fine, but it appears we've hit a little snag.

Since we've applied the new password settings, we have been getting reports that several users are being locked out of the system. The below settings are what was applied:
=====
Maximum password age 180 days
Minimum password age 1 days
Minimum password length 8 characters

Account lockout duration 30 minutes
Account lockout threshold 10 invalid logon attempts
Reset account lockout counter after 30 minutes

Interactive logon: Prompt user to change password before expiration 14 days
=====

Now several users are calling in stating their account has been locked out. Aside from some users who have services running with their logon account, what other possiblities could cause users to be locked out of the system? Did some digging and a couple users were found to be logged into multiple workstations. Could replication and/or caching be causing some of these issues?

Thanks & Happy Holidays.
Doug

[Trammel]

If I am not mistaken, the password policy settings which are under the computer configuration. Is the one exception to Microsoft group policy's where it effects users. These settings can only be applied with the Default Domain policy and not a policy created by you.

This was mentioned in Jeremy's book. Hope this helps.

[dfresh]

Unfortunately I don't have Jeremy's book, which I should probalbly get. :-)

However I did end up creating a seperate group policy for password settings. I applied the policy at the domain which is the same as if I changed the Default Domain Policy. The only problem I'm having is with the account lockout settings. I set them to lock out after 10 invalid attempts and locked out for 30 min. Because of this setting there were several users who called our help desk saying that there account was locked out. Our theory for this is users who are logged into multiple workstations or have mapped drives associated with their loggin session.