I've recently changed our organization's computer lock timeout from 90 minutes to just 10 minutes, and, predictably, this caused some frustration. To remedy this, I've created a separate rule for a specific group of users to exempt them from being locked out so quickly. However, they are still getting locked out after 10 minutes! I enforced the new rule because I know the original one applies to all authenticated users. This is my first real dive into Group Policy Management since I usually handle server and network issues. Any advice on what I might be missing here would be really helpful! Also, just an update: my testing computer is now timing out at over 18 minutes, so maybe I'm on the right track?
3 Answers
First, check to confirm that both policies are being applied to the machine. You can do this with `gpresult /r` as a general user or `gpresult /r /scope:computer` from an elevated command prompt. If you only see the new policy, it might indicate a replication problem or the old policy has tattooed your settings, which could prevent the new policy from being applied correctly.
Just a heads-up, 'Enforced' might not do what you think it does. GPOs are applied bottom-up based on link order in the OU, so a GPO with a lower link order number will take precedence over one with a higher number.
I think I'm starting to get this with my current test. I'm at 16:50 with no lockout! Sorry if my question seemed silly; I've just been overloaded with other issues. Thanks for your insight!
Actually, it sounds like you're right on track! Just remember that if the conflicting GPOs are in the same OU, the 'enforced' setting might not work as you expect.
Try running `gpresult /h` on the affected machines to see which policies are actually applying. Double-check their OU location to ensure the right policy is targeted, or consider denying the original policy for those specific users.
I might have figured it out! My test computer is up to 15:38 now without a lockout. I linked it to the specific groups where those users are. If it doesn't work, I'll definitely try what you suggested.
I think you're right; I was trying to create a new policy in a spot where one already existed. Now that I've linked the policy to specific groups, it seems to be working correctly!