Sign in with
Sign up | Sign in
Your question

Group Policy

Last response: in Windows 2000/NT
Share
Anonymous
December 7, 2004 2:09:01 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have been trying to set up the Password Policy for a few days now, but I
just can’t get it to work. I’ll just explain what I’m doing and maybe someone
can give me some pointers.

When I right click on our Domain in AD Users and Computers, Click Properties
and then select the Group Policy tab, I only have Default Domain Policy.

First of all, should I be able to change settings in this Policy, like when
I edit it, go into Computer Configuration, Windows Setting, Security
Settings. Should I find the Account Policies – Password Policy in there or is
the Default Domain Policy not for these types of things. I can also not
expand the Administrative Templates. I am thinking that b/c this is a Default
Policy, I am not able to change it. Or could it be that I do not have the
permissions to change it.

Secondly, in the Group Policy tab, I click New and create a new Policy
called Password Policy. I edit it and go to Computer Configuration, Windows
Settings, Security Settings, Account Policies and in Password Policy I change
all the Setting to what I want. When I go to a test user created in the Users
OU, I set the Account to change Password at next logon. However, when I log
in as this User, I can change the Password to 123 or anything else. I also
try and change the Password for a user I created in a OU I created manually
but still no Policy enforcement.

This whole thing is driving me crazy. If anyone could just help me and tell
me where to set this Password Policy, and in what way.

Any help would be much Appreciated.

Thanks

More about : group policy

Anonymous
December 7, 2004 6:19:31 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You should be able to modify Default domain policy...
And you should be able to find things described in that policy
(security, admin templates etc.)

I have read about tool Dcgpofix.exe that restores Default Domain policy
back to it's original state, maybe that could help you. I have never
personally tested it, so better try it in your test environment before
applying it into your "real" domain.

And about your password policy, have you looked "security" -tab? There
should be "read" and "apply group policy" rights for group
"authenticated users"

Hope this helps.
J.M.N



--
J.M.N
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1271781.html
Anonymous
December 7, 2004 7:19:23 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You should be able to modify Default domain policy...
And you should be able to find things described in that policy
(security, admin templates etc.)

I have read about tool Dcgpofix.exe that restores Default Domain policy
back to it's original state, maybe that could help you. I have never
personally tested it, so better try it in your test environment before
applying it into your "real" domain.

And about your password policy, have you looked "security" -tab? There
should be "read" and "apply group policy" rights for group
"authenticated users"

Hope this helps.
J.M.N



--
J.M.N
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1271781.html
Related resources
Anonymous
December 7, 2004 9:59:08 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The recreateDefPol.exe file work perfectly. Just extracted it to a folder on
the DC and ran the file. Had to log out and back in for it to take effect and
fixed everthing. Did not have a test domain but now you can know it works OK.
Thanks for the help.


"J.M.N" wrote:

>
> You should be able to modify Default domain policy...
> And you should be able to find things described in that policy
> (security, admin templates etc.)
>
> I have read about tool Dcgpofix.exe that restores Default Domain policy
> back to it's original state, maybe that could help you. I have never
> personally tested it, so better try it in your test environment before
> applying it into your "real" domain.
>
> And about your password policy, have you looked "security" -tab? There
> should be "read" and "apply group policy" rights for group
> "authenticated users"
>
> Hope this helps.
> J.M.N
>
>
>
> --
> J.M.N
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message1271781.html
>
>
Anonymous
December 7, 2004 4:48:25 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You where in the right place, its in the "Default Domain Policy" > "Computer
Configuration" > "Windows Settings" > "Security Settings" > "Account
Policies" > "Password Policies"
You should be able to change it if you are using the administrator account.

You can change the password settings in the "Default Domain Policy" or even
create a new GPO, however, note that if you create a new one, it must be
linked to the domain (not to OUs or any other type of containers), and it
must be on the top of the list of the GPO's linked to the domain (there as
special cases but it's better that way).

Another thing is that you must refresh the computer policy on all clients
for the policy to take effect, you can either restart all machines in the
domain or wait for about 90mins or run "Secedit /refreshpolicy
machine_policy /enforce" from Windows2000 machines and "gpupdate
/target:computer /force" from Windows XP and Windows 2003 servers

--
Yours truly,
Mohammed A. Raslan
Systems Engineer / Consultant
MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
Mobile: +20 (12) 36 26 112 / +965 978 1969
E-Mail: m_raslan@link.net.removethis


"MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
news:CA544896-FFEC-4859-A1EF-4C73B7F078BB@microsoft.com...
> I have been trying to set up the Password Policy for a few days now, but I
> just can’t get it to work. I’ll just explain what I’m doing and maybe
someone
> can give me some pointers.
>
> When I right click on our Domain in AD Users and Computers, Click
Properties
> and then select the Group Policy tab, I only have Default Domain Policy.
>
> First of all, should I be able to change settings in this Policy, like
when
> I edit it, go into Computer Configuration, Windows Setting, Security
> Settings. Should I find the Account Policies – Password Policy in there or
is
> the Default Domain Policy not for these types of things. I can also not
> expand the Administrative Templates. I am thinking that b/c this is a
Default
> Policy, I am not able to change it. Or could it be that I do not have the
> permissions to change it.
>
> Secondly, in the Group Policy tab, I click New and create a new Policy
> called Password Policy. I edit it and go to Computer Configuration,
Windows
> Settings, Security Settings, Account Policies and in Password Policy I
change
> all the Setting to what I want. When I go to a test user created in the
Users
> OU, I set the Account to change Password at next logon. However, when I
log
> in as this User, I can change the Password to 123 or anything else. I also
> try and change the Password for a user I created in a OU I created
manually
> but still no Policy enforcement.
>
> This whole thing is driving me crazy. If anyone could just help me and
tell
> me where to set this Password Policy, and in what way.
>
> Any help would be much Appreciated.
>
> Thanks
>
>
>
Anonymous
December 7, 2004 4:48:26 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hey Mohammed

Thanks for the feedback.

I logged on to the DC as the Domain Administrator and when I go to AD Users
And Computers, Domain Properties, Group Policy, Default Domain Policy,
Computer Configuration, Windows Setting, Security Settings, I only have
Public Key Policies and IP Security Policies on AD. There is no Account
Policies, Local Policies etc.

You said, if I create a new GPO I should link it to the Domain. How do I do
this, I thought if it is created in the same place as the Deafault Domain
Policy it should go out to the whole Domain.

I also did wait for more than 90 minutes but nothing happened.

If I go to the Default Domain Policy Properties, under Security I have my
name with Full Control. Under Links, if I click Find Now, it only shows my
Domain.



"Mohammed A. Raslan" wrote:

> You where in the right place, its in the "Default Domain Policy" > "Computer
> Configuration" > "Windows Settings" > "Security Settings" > "Account
> Policies" > "Password Policies"
> You should be able to change it if you are using the administrator account.
>
> You can change the password settings in the "Default Domain Policy" or even
> create a new GPO, however, note that if you create a new one, it must be
> linked to the domain (not to OUs or any other type of containers), and it
> must be on the top of the list of the GPO's linked to the domain (there as
> special cases but it's better that way).
>
> Another thing is that you must refresh the computer policy on all clients
> for the policy to take effect, you can either restart all machines in the
> domain or wait for about 90mins or run "Secedit /refreshpolicy
> machine_policy /enforce" from Windows2000 machines and "gpupdate
> /target:computer /force" from Windows XP and Windows 2003 servers
>
> --
> Yours truly,
> Mohammed A. Raslan
> Systems Engineer / Consultant
> MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> Mobile: +20 (12) 36 26 112 / +965 978 1969
> E-Mail: m_raslan@link.net.removethis
>
>
> "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
> news:CA544896-FFEC-4859-A1EF-4C73B7F078BB@microsoft.com...
> > I have been trying to set up the Password Policy for a few days now, but I
> > just can’t get it to work. I’ll just explain what I’m doing and maybe
> someone
> > can give me some pointers.
> >
> > When I right click on our Domain in AD Users and Computers, Click
> Properties
> > and then select the Group Policy tab, I only have Default Domain Policy.
> >
> > First of all, should I be able to change settings in this Policy, like
> when
> > I edit it, go into Computer Configuration, Windows Setting, Security
> > Settings. Should I find the Account Policies – Password Policy in there or
> is
> > the Default Domain Policy not for these types of things. I can also not
> > expand the Administrative Templates. I am thinking that b/c this is a
> Default
> > Policy, I am not able to change it. Or could it be that I do not have the
> > permissions to change it.
> >
> > Secondly, in the Group Policy tab, I click New and create a new Policy
> > called Password Policy. I edit it and go to Computer Configuration,
> Windows
> > Settings, Security Settings, Account Policies and in Password Policy I
> change
> > all the Setting to what I want. When I go to a test user created in the
> Users
> > OU, I set the Account to change Password at next logon. However, when I
> log
> > in as this User, I can change the Password to 123 or anything else. I also
> > try and change the Password for a user I created in a OU I created
> manually
> > but still no Policy enforcement.
> >
> > This whole thing is driving me crazy. If anyone could just help me and
> tell
> > me where to set this Password Policy, and in what way.
> >
> > Any help would be much Appreciated.
> >
> > Thanks
> >
> >
> >
>
>
>
Anonymous
December 7, 2004 8:43:48 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I guess you have a corrputed Default Domain Policy files. What is your
domain? Windows 2000 or Windows 2003?, and how many DC do you have?

i suggest that you first create a system state backup (just in case), then
delete your Default Domain Policy. when you try to delete it you will be
asked to remove the link or delete it entirely, well it's better to only
remove the link at this point, then if there is no other GPO's on the
domain, create a new one but name it anything other than "Default Domain
Policy" for example "My Default Policy" and set the password options you
want in it.

After that try to run from the domain controller itself the command "secedit
/refreshpolicy machine_policy /enforce" if its a Windows2000 DC, or
"gpupdate
/force" if its a Windows2003 DC. if you have multiple DC's then first wait
for
about 10 mins then issue that command on them all. If you can restart
the DC, it would be better and you will not need to run these commands

After that open AD Users & Computers and create a test account and try
playing with its password length and reset it to wrong and right values and
see if it working.

i'm sorry about the 90 min thing, it was related to something else, its how
long
client computers refresh thier policy from the domain, its not related to
your problem, yours is with the domain controller not the clients

When you open the domain properties and click on the new button to create a
GPO, you usualy create and link a GPO to the domain at the same time,
however in some situations you can or might want to create a GPO without
linking it to the domain. so its there but with no effect.

Try it and tell me, Hope this will work
Yours truly,
Mohammed A. Raslan
Systems Engineer / Consultant
MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
Mobile: +20 (12) 36 26 112 / +965 978 1969
E-Mail: m_raslan@link.net.removethis


"MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
news:0A6491AF-C78C-48EA-92D3-035B67746828@microsoft.com...
> Hey Mohammed
>
> Thanks for the feedback.
>
> I logged on to the DC as the Domain Administrator and when I go to AD
Users
> And Computers, Domain Properties, Group Policy, Default Domain Policy,
> Computer Configuration, Windows Setting, Security Settings, I only have
> Public Key Policies and IP Security Policies on AD. There is no Account
> Policies, Local Policies etc.
>
> You said, if I create a new GPO I should link it to the Domain. How do I
do
> this, I thought if it is created in the same place as the Deafault Domain
> Policy it should go out to the whole Domain.
>
> I also did wait for more than 90 minutes but nothing happened.
>
> If I go to the Default Domain Policy Properties, under Security I have my
> name with Full Control. Under Links, if I click Find Now, it only shows my
> Domain.
>
>
>
> "Mohammed A. Raslan" wrote:
>
> > You where in the right place, its in the "Default Domain Policy" >
"Computer
> > Configuration" > "Windows Settings" > "Security Settings" > "Account
> > Policies" > "Password Policies"
> > You should be able to change it if you are using the administrator
account.
> >
> > You can change the password settings in the "Default Domain Policy" or
even
> > create a new GPO, however, note that if you create a new one, it must be
> > linked to the domain (not to OUs or any other type of containers), and
it
> > must be on the top of the list of the GPO's linked to the domain (there
as
> > special cases but it's better that way).
> >
> > Another thing is that you must refresh the computer policy on all
clients
> > for the policy to take effect, you can either restart all machines in
the
> > domain or wait for about 90mins or run "Secedit /refreshpolicy
> > machine_policy /enforce" from Windows2000 machines and "gpupdate
> > /target:computer /force" from Windows XP and Windows 2003 servers
> >
> > --
> > Yours truly,
> > Mohammed A. Raslan
> > Systems Engineer / Consultant
> > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > E-Mail: m_raslan@link.net.removethis
> >
> >
> > "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
> > news:CA544896-FFEC-4859-A1EF-4C73B7F078BB@microsoft.com...
> > > I have been trying to set up the Password Policy for a few days now,
but I
> > > just can’t get it to work. I’ll just explain what I’m doing and maybe
> > someone
> > > can give me some pointers.
> > >
> > > When I right click on our Domain in AD Users and Computers, Click
> > Properties
> > > and then select the Group Policy tab, I only have Default Domain
Policy.
> > >
> > > First of all, should I be able to change settings in this Policy, like
> > when
> > > I edit it, go into Computer Configuration, Windows Setting, Security
> > > Settings. Should I find the Account Policies – Password Policy in
there or
> > is
> > > the Default Domain Policy not for these types of things. I can also
not
> > > expand the Administrative Templates. I am thinking that b/c this is a
> > Default
> > > Policy, I am not able to change it. Or could it be that I do not have
the
> > > permissions to change it.
> > >
> > > Secondly, in the Group Policy tab, I click New and create a new Policy
> > > called Password Policy. I edit it and go to Computer Configuration,
> > Windows
> > > Settings, Security Settings, Account Policies and in Password Policy I
> > change
> > > all the Setting to what I want. When I go to a test user created in
the
> > Users
> > > OU, I set the Account to change Password at next logon. However, when
I
> > log
> > > in as this User, I can change the Password to 123 or anything else. I
also
> > > try and change the Password for a user I created in a OU I created
> > manually
> > > but still no Policy enforcement.
> > >
> > > This whole thing is driving me crazy. If anyone could just help me and
> > tell
> > > me where to set this Password Policy, and in what way.
> > >
> > > Any help would be much Appreciated.
> > >
> > > Thanks
> > >
> > >
> > >
> >
> >
> >
Anonymous
December 7, 2004 8:43:49 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

It turned out my Default Domain Policy was corrupt. I used recreateDefPol.exe
(Windows 2000 Server only, same as dcgpofix.exe) to repair it and now it
works fine. Thanks for all the help, I really appreciate it.


"Mohammed A. Raslan" wrote:

> I guess you have a corrputed Default Domain Policy files. What is your
> domain? Windows 2000 or Windows 2003?, and how many DC do you have?
>
> i suggest that you first create a system state backup (just in case), then
> delete your Default Domain Policy. when you try to delete it you will be
> asked to remove the link or delete it entirely, well it's better to only
> remove the link at this point, then if there is no other GPO's on the
> domain, create a new one but name it anything other than "Default Domain
> Policy" for example "My Default Policy" and set the password options you
> want in it.
>
> After that try to run from the domain controller itself the command "secedit
> /refreshpolicy machine_policy /enforce" if its a Windows2000 DC, or
> "gpupdate
> /force" if its a Windows2003 DC. if you have multiple DC's then first wait
> for
> about 10 mins then issue that command on them all. If you can restart
> the DC, it would be better and you will not need to run these commands
>
> After that open AD Users & Computers and create a test account and try
> playing with its password length and reset it to wrong and right values and
> see if it working.
>
> i'm sorry about the 90 min thing, it was related to something else, its how
> long
> client computers refresh thier policy from the domain, its not related to
> your problem, yours is with the domain controller not the clients
>
> When you open the domain properties and click on the new button to create a
> GPO, you usualy create and link a GPO to the domain at the same time,
> however in some situations you can or might want to create a GPO without
> linking it to the domain. so its there but with no effect.
>
> Try it and tell me, Hope this will work
> Yours truly,
> Mohammed A. Raslan
> Systems Engineer / Consultant
> MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> Mobile: +20 (12) 36 26 112 / +965 978 1969
> E-Mail: m_raslan@link.net.removethis
>
>
> "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
> news:0A6491AF-C78C-48EA-92D3-035B67746828@microsoft.com...
> > Hey Mohammed
> >
> > Thanks for the feedback.
> >
> > I logged on to the DC as the Domain Administrator and when I go to AD
> Users
> > And Computers, Domain Properties, Group Policy, Default Domain Policy,
> > Computer Configuration, Windows Setting, Security Settings, I only have
> > Public Key Policies and IP Security Policies on AD. There is no Account
> > Policies, Local Policies etc.
> >
> > You said, if I create a new GPO I should link it to the Domain. How do I
> do
> > this, I thought if it is created in the same place as the Deafault Domain
> > Policy it should go out to the whole Domain.
> >
> > I also did wait for more than 90 minutes but nothing happened.
> >
> > If I go to the Default Domain Policy Properties, under Security I have my
> > name with Full Control. Under Links, if I click Find Now, it only shows my
> > Domain.
> >
> >
> >
> > "Mohammed A. Raslan" wrote:
> >
> > > You where in the right place, its in the "Default Domain Policy" >
> "Computer
> > > Configuration" > "Windows Settings" > "Security Settings" > "Account
> > > Policies" > "Password Policies"
> > > You should be able to change it if you are using the administrator
> account.
> > >
> > > You can change the password settings in the "Default Domain Policy" or
> even
> > > create a new GPO, however, note that if you create a new one, it must be
> > > linked to the domain (not to OUs or any other type of containers), and
> it
> > > must be on the top of the list of the GPO's linked to the domain (there
> as
> > > special cases but it's better that way).
> > >
> > > Another thing is that you must refresh the computer policy on all
> clients
> > > for the policy to take effect, you can either restart all machines in
> the
> > > domain or wait for about 90mins or run "Secedit /refreshpolicy
> > > machine_policy /enforce" from Windows2000 machines and "gpupdate
> > > /target:computer /force" from Windows XP and Windows 2003 servers
> > >
> > > --
> > > Yours truly,
> > > Mohammed A. Raslan
> > > Systems Engineer / Consultant
> > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > E-Mail: m_raslan@link.net.removethis
> > >
> > >
> > > "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
> > > news:CA544896-FFEC-4859-A1EF-4C73B7F078BB@microsoft.com...
> > > > I have been trying to set up the Password Policy for a few days now,
> but I
> > > > just can’t get it to work. I’ll just explain what I’m doing and maybe
> > > someone
> > > > can give me some pointers.
> > > >
> > > > When I right click on our Domain in AD Users and Computers, Click
> > > Properties
> > > > and then select the Group Policy tab, I only have Default Domain
> Policy.
> > > >
> > > > First of all, should I be able to change settings in this Policy, like
> > > when
> > > > I edit it, go into Computer Configuration, Windows Setting, Security
> > > > Settings. Should I find the Account Policies – Password Policy in
> there or
> > > is
> > > > the Default Domain Policy not for these types of things. I can also
> not
> > > > expand the Administrative Templates. I am thinking that b/c this is a
> > > Default
> > > > Policy, I am not able to change it. Or could it be that I do not have
> the
> > > > permissions to change it.
> > > >
> > > > Secondly, in the Group Policy tab, I click New and create a new Policy
> > > > called Password Policy. I edit it and go to Computer Configuration,
> > > Windows
> > > > Settings, Security Settings, Account Policies and in Password Policy I
> > > change
> > > > all the Setting to what I want. When I go to a test user created in
> the
> > > Users
> > > > OU, I set the Account to change Password at next logon. However, when
> I
> > > log
> > > > in as this User, I can change the Password to 123 or anything else. I
> also
> > > > try and change the Password for a user I created in a OU I created
> > > manually
> > > > but still no Policy enforcement.
> > > >
> > > > This whole thing is driving me crazy. If anyone could just help me and
> > > tell
> > > > me where to set this Password Policy, and in what way.
> > > >
> > > > Any help would be much Appreciated.
> > > >
> > > > Thanks
> > > >
> > > >
> > > >
> > >
> > >
> > >
>
>
>
>
!