Account Lockout Policy cannot be changed and is greyed out

I received an email overnight asking about greyed out settings in the local security policy on a newly installed Windows Server 2003 machine. In my group policy session on Tuesday, I was talking around this whole area, and the reason for it is related to probably one of the most commonly misunderstood concepts I find when talking to customers about Group Policy. If you attend just about any sessions on Group Policy, the presenter will tell you that there is only one password policy in a domain. Even if you scope a Group Policy Object (GPO) to an OU which defines password policy, that GPO is affecting local password policy rather than domain level passwords. This is exactly the same with Account Lockout Policy.

So, for example: Start with a freshly installed standalone server running in a workgroup, rather than being domain joined. Run secpol.msc (shortcut for Local Security Policy under Administrative tools). Drill down into Account Policies/Account Lockout Policy and double click Account Lockout Threshold. You will be able to define an appropriate value. However, once you join that machine to a domain, it will now be under the influence of Group Policy. In a default AD installation, you will be picking up settings from the Default Domain Policy. If there is another GPO scoped to the OU containing the computer account also setting the Account Policies, this will override the default domain policy and will be seen through secpol.msc on the member server. Due to the policy coming from Group Policy, you cannot override these settings. You will also note if you look very carefully that the icon for the policy setting changes to a "pair of servers with a scroll" icon indicating that this is from Group Policy. When it was a standalone server, the icon would have been the binary 0's and 1's.