Archived from groups: microsoft.public.win2000.active_directory (
More info?)
It turned out my Default Domain Policy was corrupt. I used recreateDefPol.exe
(Windows 2000 Server only, same as dcgpofix.exe) to repair it and now it
works fine. Thanks for all the help, I really appreciate it.
"Mohammed A. Raslan" wrote:
> I guess you have a corrputed Default Domain Policy files. What is your
> domain? Windows 2000 or Windows 2003?, and how many DC do you have?
>
> i suggest that you first create a system state backup (just in case), then
> delete your Default Domain Policy. when you try to delete it you will be
> asked to remove the link or delete it entirely, well it's better to only
> remove the link at this point, then if there is no other GPO's on the
> domain, create a new one but name it anything other than "Default Domain
> Policy" for example "My Default Policy" and set the password options you
> want in it.
>
> After that try to run from the domain controller itself the command "secedit
> /refreshpolicy machine_policy /enforce" if its a Windows2000 DC, or
> "gpupdate
> /force" if its a Windows2003 DC. if you have multiple DC's then first wait
> for
> about 10 mins then issue that command on them all. If you can restart
> the DC, it would be better and you will not need to run these commands
>
> After that open AD Users & Computers and create a test account and try
> playing with its password length and reset it to wrong and right values and
> see if it working.
>
> i'm sorry about the 90 min thing, it was related to something else, its how
> long
> client computers refresh thier policy from the domain, its not related to
> your problem, yours is with the domain controller not the clients
>
> When you open the domain properties and click on the new button to create a
> GPO, you usualy create and link a GPO to the domain at the same time,
> however in some situations you can or might want to create a GPO without
> linking it to the domain. so its there but with no effect.
>
> Try it and tell me, Hope this will work
> Yours truly,
> Mohammed A. Raslan
> Systems Engineer / Consultant
> MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> Mobile: +20 (12) 36 26 112 / +965 978 1969
> E-Mail: m_raslan@link.net.removethis
>
>
> "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
> news:0A6491AF-C78C-48EA-92D3-035B67746828@microsoft.com...
> > Hey Mohammed
> >
> > Thanks for the feedback.
> >
> > I logged on to the DC as the Domain Administrator and when I go to AD
> Users
> > And Computers, Domain Properties, Group Policy, Default Domain Policy,
> > Computer Configuration, Windows Setting, Security Settings, I only have
> > Public Key Policies and IP Security Policies on AD. There is no Account
> > Policies, Local Policies etc.
> >
> > You said, if I create a new GPO I should link it to the Domain. How do I
> do
> > this, I thought if it is created in the same place as the Deafault Domain
> > Policy it should go out to the whole Domain.
> >
> > I also did wait for more than 90 minutes but nothing happened.
> >
> > If I go to the Default Domain Policy Properties, under Security I have my
> > name with Full Control. Under Links, if I click Find Now, it only shows my
> > Domain.
> >
> >
> >
> > "Mohammed A. Raslan" wrote:
> >
> > > You where in the right place, its in the "Default Domain Policy" >
> "Computer
> > > Configuration" > "Windows Settings" > "Security Settings" > "Account
> > > Policies" > "Password Policies"
> > > You should be able to change it if you are using the administrator
> account.
> > >
> > > You can change the password settings in the "Default Domain Policy" or
> even
> > > create a new GPO, however, note that if you create a new one, it must be
> > > linked to the domain (not to OUs or any other type of containers), and
> it
> > > must be on the top of the list of the GPO's linked to the domain (there
> as
> > > special cases but it's better that way).
> > >
> > > Another thing is that you must refresh the computer policy on all
> clients
> > > for the policy to take effect, you can either restart all machines in
> the
> > > domain or wait for about 90mins or run "Secedit /refreshpolicy
> > > machine_policy /enforce" from Windows2000 machines and "gpupdate
> > > /target:computer /force" from Windows XP and Windows 2003 servers
> > >
> > > --
> > > Yours truly,
> > > Mohammed A. Raslan
> > > Systems Engineer / Consultant
> > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > E-Mail: m_raslan@link.net.removethis
> > >
> > >
> > > "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
> > > news:CA544896-FFEC-4859-A1EF-4C73B7F078BB@microsoft.com...
> > > > I have been trying to set up the Password Policy for a few days now,
> but I
> > > > just can’t get it to work. I’ll just explain what I’m doing and maybe
> > > someone
> > > > can give me some pointers.
> > > >
> > > > When I right click on our Domain in AD Users and Computers, Click
> > > Properties
> > > > and then select the Group Policy tab, I only have Default Domain
> Policy.
> > > >
> > > > First of all, should I be able to change settings in this Policy, like
> > > when
> > > > I edit it, go into Computer Configuration, Windows Setting, Security
> > > > Settings. Should I find the Account Policies – Password Policy in
> there or
> > > is
> > > > the Default Domain Policy not for these types of things. I can also
> not
> > > > expand the Administrative Templates. I am thinking that b/c this is a
> > > Default
> > > > Policy, I am not able to change it. Or could it be that I do not have
> the
> > > > permissions to change it.
> > > >
> > > > Secondly, in the Group Policy tab, I click New and create a new Policy
> > > > called Password Policy. I edit it and go to Computer Configuration,
> > > Windows
> > > > Settings, Security Settings, Account Policies and in Password Policy I
> > > change
> > > > all the Setting to what I want. When I go to a test user created in
> the
> > > Users
> > > > OU, I set the Account to change Password at next logon. However, when
> I
> > > log
> > > > in as this User, I can change the Password to 123 or anything else. I
> also
> > > > try and change the Password for a user I created in a OU I created
> > > manually
> > > > but still no Policy enforcement.
> > > >
> > > > This whole thing is driving me crazy. If anyone could just help me and
> > > tell
> > > > me where to set this Password Policy, and in what way.
> > > >
> > > > Any help would be much Appreciated.
> > > >
> > > > Thanks
> > > >
> > > >
> > > >
> > >
> > >
> > >
>
>
>
>
Facebook
Twitter
Instagram