Is there an ADUC setting that can prevent certain user accounts from locking out, particularly after x number of failed logon attempts?
Oh and our DC is on Server 2003 at the moment, but we also use Server 2008 DC's in other environments.
Windows – How to Prevent Active Directory Account from Locking Out
active-directorywindows
Related Solutions
As your usernames are the same, this is going to be a problem. Outlook will first attempt single sign-on by using the currently logged in user's credentials. As the username matches that as the one in the other forest, you are going to get account lockouts when the passwords do not match.
Ideally, you would create a trust relationship between forests and then give your users Full Access to the mailboxes in the Exchange forest.
If that is not possibly, you could try forcing Outlook to prompt for logon credentials every time it is opened by checking the box below (Advanced settings on the mailbox setup in Outlook).
I guess a last option would be to rename the accounts (or use a different UPN) in one of the domains.
If your auditing policy is set to only log successful events, you will only get successful events. Change your auditing policy to log logon failures as well, then look at these Microsoft tools to help you troubleshoot the lockout issue.
Best Answer
You can do it but you still need a GPO. Create a GPO that has the necessary settings, then eliminate the "apply group policy" right from the ACL. Create a group that you want to have eliminated from password lockouts, add your user(s) to the group, and assign that group the "apply group policy" right for your GPO.
Remember that GPOs are applied in the following order:
Local Site Domain OU
so be sure to apply your new GPO at the correct level so it's not stomped on by something below it.