Question : Account lockout policy

Here is my problem.  I first had my AD set up so that my account lockout policy was at the domain level.  It was set to 30 min lockout if done 5 times.  Then i realized that i needed to not have a lockout policy for one of my users.  I put that user in an OU and gave it the 0 lockout which lets it be so that it wont lock out.  I did the block inheritance on this but it still was locking out the account after 5 login attempts.  Then i went to the domain and took off the lockout for everyone i made it where it was not defined anymore on all three selections under the account lockout.  I then made the OU that i put the user in define 0 for lockout so that it wouldnt lock out.  Now their is no policy defined anywhere that will lock out a machine and it still after 5 times locks out that user.?? i dont understand it.. pls someone help

Answer : Account lockout policy

The ability to apply Account security settings in a Domain is more restrictive than it first appears.

You can override some of those security options by applying another security policy to specific Computer Accounts (all security settings are part of the Computer Configuration).

The Default Domain Policy is a bit of an exception to this because there's a hack (for want of a better description) in place to allow those settings to apply to user accounts.

Basically, this one is odd by design.

The most practical solution would be to turn off Account Lockout entirely - although that in itself presents a pretty huge security risk - opening up user accounts to the possibility of direct brute-force password cracking. Account lockout renders that method useless by vastly increasing the amount of time required.

The best solution would be not to have the same account used by hundreds of people.