ARCHIVED: How do I override settings in the Default Domain Policy for my OU?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Note: This information is intended for registered local support providers (LSPs) at Indiana University. If you are an IU LSP and have questions regarding this content, email UITS Tier 2 Support; otherwise, contact your campus Support Center.

Blocking the entire Default Domain Policy for your organizational unit (OU) is not advisable. However, a certain setting within the Default Domain Policy can sometimes cause issues within your department. You can create a group policy that will override one or several of those settings.

This example shows an override that changes the policy setting "Account lockout threshold" from 25 invalid logon attempts to 20. Keep in mind that you are not limited to overriding only a single setting in your GPO.

  1. If it is not already installed, install the Group Policy Management Console with Service Pack 1 from this page: 
      http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
  2. From the Start menu, click Programs or All Programs, then Administrative Tools, and then Group Policy Management.
  3. Check the policy setting for Default Domain Policy to make sure you want to change it from its default:
    1. In the left window, navigate to ads.iu.edu and find Default Domain Policy.
    2. In the left window, click Default Domain Policy. In the right window, click the Settings tab.
    3. Locate the particular setting you wish to change. In the example, this is "Account lockout threshold". The path for this is Computer Configuration, then Windows Settings, then Security Settings, then Account Policies, then Account Lockout Policy, and then Account lockout threshold. Note the setting is for "25 invalid logon attempts", which, for this example, will change 20.

  4. In the left window, navigate to the OU for which you wish to override the Default Domain Policy. This can be at your main OU, or one of your sub-OUs.
  5. Right-click your chosen OU, and select Create and Link a GPO Here....
  6. Name the GPO. It should follow the standard naming convention of campus-department-name_of_policy, for example: 
      IU-LSPS-number_of_invalid_logon_attempts
  7. Once it's created, right-click the GPO in the left window, and select Edit....
  8. In the Group Policy Object Editor for your newly created GPO, drill down to the policy setting you want to change.

    In the example, the path is Computer Configuration, then Windows Settings, then Security Settings, then Account Policies, and then Account Lockout Policies. In the right window, you should see the setting for Account lockout threshold.

  9. In the right window, right-click Account lockout threshold and select Properties.
  10. Make sure Define this policy setting is checked, change the value to the box to 20, and then click OK.
  11. Close the Group Policy Object Editor window, and then close the Group Policy Management Console window.

Your settings will affect every computer in the OU to which the change is applied. To apply the settings to a subset of computers in the OU, you will need to modify the Security Filtering and/or WMI Filtering for your Group Policy Object.

This is document attx in the Knowledge Base.
Last modified on 2021-09-07 17:15:03.