Account policies are the rules that control three major account authentication features: password configuration, account lockout, and Kerberos authentication.

  • Password policy. For local user accounts, determines settings for passwords such as enforcement, and lifetimes.

  • Account lockout policy. For local user accounts, determines when and for whom an account will be locked out of the system.

  • Kerberos Policy. Kerberos authentication is the primary authentication mechanism used in an Active Directory domain.

When user accounts are created there are multiple options available to control the use of those accounts. Templates can be created to provide a more automated way to create accounts with similar features. The accounts can also be modified individually by accessing the properties of the accounts and making changes.

Account policies can be applied to user accounts in domains, organizational units, trees, and so forth, and there is a hierarchical structure to these policies:

  • Domain policies take precedence over Active Directory object policies.

  • Organization unit policies take precedence over Domain policies.

  • Root domain policies take precedence over all policies.