To get rid of account lockout problem that happens due to an account being configured in Android or IOS devices, I am thinking of segregating such users from regular accounts that are normally used to login to domain through computer account. Probably we
can enable password never expire for such accounts and disable their login to all computer (default setting). I am not sure if there can be other GPO settings that can put in more restrictions on those user accounts. I do believe this may reduce the security
risk of compromising a regular account that is a member of local administrators group in their respective computers.
Anyone has done that? I believe it is already implemented by many. If anyone can share their experience or points that need to be considered, it will be really great!