Sign in with
Sign up | Sign in
Your question

Group policy and Group shield??

Last response: in Windows 2000/NT
Share
Anonymous
January 18, 2005 10:49:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I set up a group policy to take affect on our passwords (length, expiration,
etc) and should of started today, but it did not take affect. I also received
various messages from Alert Manager (Group Shield) this morning and was
wondering if there is any connection. Has anyone experienced a group policy
not working due to their virus protection? Is it possible? Any suggestions?
Anonymous
January 18, 2005 12:56:25 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
> I set up a group policy to take affect on our passwords (length,
expiration,
> etc) and should of started today, but it did not take affect. I also
received
> various messages from Alert Manager (Group Shield) this morning and was
> wondering if there is any connection. Has anyone experienced a group
policy
> not working due to their virus protection? Is it possible? Any
suggestions?

Anything is possible but firewalls are more likely
to cause problems than virus (but some security
suite programs now have both.)

Did you link the Group Policy to the DOMAIN?

(Only Domain-Linked GPOs will affect the password,
lockout or Kerberos policies. They are domain
specific.)

--
Herb Martin
Anonymous
January 18, 2005 12:56:26 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes, it is at the domain level. How could a firewall cause the problem if
everyone is behind it? For some reason I think it is related to Group
Shield/McAfee, but not really sure. Any other suggestions?

"Herb Martin" wrote:

> "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
> news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
> > I set up a group policy to take affect on our passwords (length,
> expiration,
> > etc) and should of started today, but it did not take affect. I also
> received
> > various messages from Alert Manager (Group Shield) this morning and was
> > wondering if there is any connection. Has anyone experienced a group
> policy
> > not working due to their virus protection? Is it possible? Any
> suggestions?
>
> Anything is possible but firewalls are more likely
> to cause problems than virus (but some security
> suite programs now have both.)
>
> Did you link the Group Policy to the DOMAIN?
>
> (Only Domain-Linked GPOs will affect the password,
> lockout or Kerberos policies. They are domain
> specific.)
>
> --
> Herb Martin
>
>
>
>
Related resources
Anonymous
January 18, 2005 1:50:56 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
news:24A6378C-0E5B-4666-BBFE-172F9CD2954C@microsoft.com...
> Yes, it is at the domain level. How could a firewall cause the problem if
> everyone is behind it?

In that case it probably couldn't but many people are running
all sorts of firewall software internally -- XP sp2 even turns
one on by default and many people running virus suite software
have the included personal firewall software on, sometimes
without even knowing it.

> For some reason I think it is related to Group
> Shield/McAfee, but not really sure. Any other suggestions?

First check your authentication and DNS. Most
such problems are related to those.

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /server:D C-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


--
Herb Martin


>
> "Herb Martin" wrote:
>
> > "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in
message
> > news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
> > > I set up a group policy to take affect on our passwords (length,
> > expiration,
> > > etc) and should of started today, but it did not take affect. I also
> > received
> > > various messages from Alert Manager (Group Shield) this morning and
was
> > > wondering if there is any connection. Has anyone experienced a group
> > policy
> > > not working due to their virus protection? Is it possible? Any
> > suggestions?
> >
> > Anything is possible but firewalls are more likely
> > to cause problems than virus (but some security
> > suite programs now have both.)
> >
> > Did you link the Group Policy to the DOMAIN?
> >
> > (Only Domain-Linked GPOs will affect the password,
> > lockout or Kerberos policies. They are domain
> > specific.)
> >
> > --
> > Herb Martin
> >
> >
> >
> >
Anonymous
January 18, 2005 2:24:54 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Wet,

I will admin right off the bat that I am not a fan of McAfee AntiVirus
software. I am a big fan of Norton and TrendMicro. Not sure that your Anti
Virus software is necessarily causing any problems with this, though.

Let's do some basic troubleshooting:

Where did you create this Password Policy?
What are the settings?
Is it a separate GPO or is it included with some other GPO? If so, are the
other parts working?
Why do you think that it should have started today?
Do you have any GPOs that are working?
Have you made sure that DNS is correct? And that all of the clients point
only to YOUR internal DNS Servers ( and not the ISP's )?
Have you run 'net accounts' on the Domain Controllers as well as on some of
the clients? How does that look?

I would start there!

I would also suggest that you implement complexity - if you have not done
so - and educate your users as to what that means. Furthermore, I would
suggest contacting MS-PSS and getting the fix for the error message that the
user is given if he/she attempts to change the password to something that
does not meet with the complexity rules. Out of the box the error message
is not very useful or informative at all. The new error message - once you
implement the change - is very specific! The user just needs to read it!

http://support.microsoft.com/?id=821425

The call to MS-PSS does not cost you anything as long as you mention that
you are looking for the fix as discussed in that MSKB Article. They will
e-mail it to you......Just make sure to give them a valid e-mail address!

You might also want to take a look at this:

http://support.microsoft.com/?id=309799

Might be a bit too much but in my opinion you can never have too much
security. Just educate the users!


--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
>I set up a group policy to take affect on our passwords (length,
>expiration,
> etc) and should of started today, but it did not take affect. I also
> received
> various messages from Alert Manager (Group Shield) this morning and was
> wondering if there is any connection. Has anyone experienced a group
> policy
> not working due to their virus protection? Is it possible? Any
> suggestions?
Anonymous
January 18, 2005 2:24:55 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Well it was working last week because part of the security GP was a splash
screen I had created that popped up when users went to log onto the network.
Now that screen does not appear anymore.

"Cary Shultz [A.D. MVP]" wrote:

> Wet,
>
> I will admin right off the bat that I am not a fan of McAfee AntiVirus
> software. I am a big fan of Norton and TrendMicro. Not sure that your Anti
> Virus software is necessarily causing any problems with this, though.
>
> Let's do some basic troubleshooting:
>
> Where did you create this Password Policy?
> What are the settings?
> Is it a separate GPO or is it included with some other GPO? If so, are the
> other parts working?
> Why do you think that it should have started today?
> Do you have any GPOs that are working?
> Have you made sure that DNS is correct? And that all of the clients point
> only to YOUR internal DNS Servers ( and not the ISP's )?
> Have you run 'net accounts' on the Domain Controllers as well as on some of
> the clients? How does that look?
>
> I would start there!
>
> I would also suggest that you implement complexity - if you have not done
> so - and educate your users as to what that means. Furthermore, I would
> suggest contacting MS-PSS and getting the fix for the error message that the
> user is given if he/she attempts to change the password to something that
> does not meet with the complexity rules. Out of the box the error message
> is not very useful or informative at all. The new error message - once you
> implement the change - is very specific! The user just needs to read it!
>
> http://support.microsoft.com/?id=821425
>
> The call to MS-PSS does not cost you anything as long as you mention that
> you are looking for the fix as discussed in that MSKB Article. They will
> e-mail it to you......Just make sure to give them a valid e-mail address!
>
> You might also want to take a look at this:
>
> http://support.microsoft.com/?id=309799
>
> Might be a bit too much but in my opinion you can never have too much
> security. Just educate the users!
>
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
> news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
> >I set up a group policy to take affect on our passwords (length,
> >expiration,
> > etc) and should of started today, but it did not take affect. I also
> > received
> > various messages from Alert Manager (Group Shield) this morning and was
> > wondering if there is any connection. Has anyone experienced a group
> > policy
> > not working due to their virus protection? Is it possible? Any
> > suggestions?
>
>
>
Anonymous
January 18, 2005 5:29:15 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I do not doubt that it was working last week. However, for some reason it
is
apparently no longer working. Did you check the things that I suggested?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
news:2FF07082-DCE1-4171-A888-0D268F0FFB66@microsoft.com...
> Well it was working last week because part of the security GP was a splash
> screen I had created that popped up when users went to log onto the
> network.
> Now that screen does not appear anymore.
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Wet,
>>
>> I will admin right off the bat that I am not a fan of McAfee AntiVirus
>> software. I am a big fan of Norton and TrendMicro. Not sure that your
>> Anti
>> Virus software is necessarily causing any problems with this, though.
>>
>> Let's do some basic troubleshooting:
>>
>> Where did you create this Password Policy?
>> What are the settings?
>> Is it a separate GPO or is it included with some other GPO? If so, are
>> the
>> other parts working?
>> Why do you think that it should have started today?
>> Do you have any GPOs that are working?
>> Have you made sure that DNS is correct? And that all of the clients
>> point
>> only to YOUR internal DNS Servers ( and not the ISP's )?
>> Have you run 'net accounts' on the Domain Controllers as well as on some
>> of
>> the clients? How does that look?
>>
>> I would start there!
>>
>> I would also suggest that you implement complexity - if you have not done
>> so - and educate your users as to what that means. Furthermore, I would
>> suggest contacting MS-PSS and getting the fix for the error message that
>> the
>> user is given if he/she attempts to change the password to something that
>> does not meet with the complexity rules. Out of the box the error
>> message
>> is not very useful or informative at all. The new error message - once
>> you
>> implement the change - is very specific! The user just needs to read it!
>>
>> http://support.microsoft.com/?id=821425
>>
>> The call to MS-PSS does not cost you anything as long as you mention that
>> you are looking for the fix as discussed in that MSKB Article. They will
>> e-mail it to you......Just make sure to give them a valid e-mail address!
>>
>> You might also want to take a look at this:
>>
>> http://support.microsoft.com/?id=309799
>>
>> Might be a bit too much but in my opinion you can never have too much
>> security. Just educate the users!
>>
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24014
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in
>> message
>> news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
>> >I set up a group policy to take affect on our passwords (length,
>> >expiration,
>> > etc) and should of started today, but it did not take affect. I also
>> > received
>> > various messages from Alert Manager (Group Shield) this morning and was
>> > wondering if there is any connection. Has anyone experienced a group
>> > policy
>> > not working due to their virus protection? Is it possible? Any
>> > suggestions?
>>
>>
>>
Anonymous
January 18, 2005 6:17:43 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

As Cary said, check his suggestions, and note
that if it worked last week this argues even stronger
for a lack of authentication or access to the DCs
from the computer.

Or that in the interval the computer account has
become hosed -- <right click> Reset in AD Users/Computers

But recognize before you do this that most such
problems are DNS problems, then authentication
in general (those authentication problems NOT due
to DNS problems.)

--
Herb Martin


"WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
news:2FF07082-DCE1-4171-A888-0D268F0FFB66@microsoft.com...
> Well it was working last week because part of the security GP was a splash
> screen I had created that popped up when users went to log onto the
network.
> Now that screen does not appear anymore.
>
> "Cary Shultz [A.D. MVP]" wrote:
>
> > Wet,
> >
> > I will admin right off the bat that I am not a fan of McAfee AntiVirus
> > software. I am a big fan of Norton and TrendMicro. Not sure that your
Anti
> > Virus software is necessarily causing any problems with this, though.
> >
> > Let's do some basic troubleshooting:
> >
> > Where did you create this Password Policy?
> > What are the settings?
> > Is it a separate GPO or is it included with some other GPO? If so, are
the
> > other parts working?
> > Why do you think that it should have started today?
> > Do you have any GPOs that are working?
> > Have you made sure that DNS is correct? And that all of the clients
point
> > only to YOUR internal DNS Servers ( and not the ISP's )?
> > Have you run 'net accounts' on the Domain Controllers as well as on some
of
> > the clients? How does that look?
> >
> > I would start there!
> >
> > I would also suggest that you implement complexity - if you have not
done
> > so - and educate your users as to what that means. Furthermore, I would
> > suggest contacting MS-PSS and getting the fix for the error message that
the
> > user is given if he/she attempts to change the password to something
that
> > does not meet with the complexity rules. Out of the box the error
message
> > is not very useful or informative at all. The new error message - once
you
> > implement the change - is very specific! The user just needs to read
it!
> >
> > http://support.microsoft.com/?id=821425
> >
> > The call to MS-PSS does not cost you anything as long as you mention
that
> > you are looking for the fix as discussed in that MSKB Article. They
will
> > e-mail it to you......Just make sure to give them a valid e-mail
address!
> >
> > You might also want to take a look at this:
> >
> > http://support.microsoft.com/?id=309799
> >
> > Might be a bit too much but in my opinion you can never have too much
> > security. Just educate the users!
> >
> >
> > --
> > Cary W. Shultz
> > Roanoke, VA 24014
> > Microsoft Active Directory MVP
> >
> > http://www.activedirectory-win2000.com
> > http://www.grouppolicy-win2000.com
> >
> >
> >
> > "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in
message
> > news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
> > >I set up a group policy to take affect on our passwords (length,
> > >expiration,
> > > etc) and should of started today, but it did not take affect. I also
> > > received
> > > various messages from Alert Manager (Group Shield) this morning and
was
> > > wondering if there is any connection. Has anyone experienced a group
> > > policy
> > > not working due to their virus protection? Is it possible? Any
> > > suggestions?
> >
> >
> >
!