Group policy and Group shield??

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I set up a group policy to take affect on our passwords (length, expiration,
etc) and should of started today, but it did not take affect. I also received
various messages from Alert Manager (Group Shield) this morning and was
wondering if there is any connection. Has anyone experienced a group policy
not working due to their virus protection? Is it possible? Any suggestions?
7 answers Last reply
More about group policy group shield
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
    news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
    > I set up a group policy to take affect on our passwords (length,
    expiration,
    > etc) and should of started today, but it did not take affect. I also
    received
    > various messages from Alert Manager (Group Shield) this morning and was
    > wondering if there is any connection. Has anyone experienced a group
    policy
    > not working due to their virus protection? Is it possible? Any
    suggestions?

    Anything is possible but firewalls are more likely
    to cause problems than virus (but some security
    suite programs now have both.)

    Did you link the Group Policy to the DOMAIN?

    (Only Domain-Linked GPOs will affect the password,
    lockout or Kerberos policies. They are domain
    specific.)

    --
    Herb Martin
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Yes, it is at the domain level. How could a firewall cause the problem if
    everyone is behind it? For some reason I think it is related to Group
    Shield/McAfee, but not really sure. Any other suggestions?

    "Herb Martin" wrote:

    > "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
    > news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
    > > I set up a group policy to take affect on our passwords (length,
    > expiration,
    > > etc) and should of started today, but it did not take affect. I also
    > received
    > > various messages from Alert Manager (Group Shield) this morning and was
    > > wondering if there is any connection. Has anyone experienced a group
    > policy
    > > not working due to their virus protection? Is it possible? Any
    > suggestions?
    >
    > Anything is possible but firewalls are more likely
    > to cause problems than virus (but some security
    > suite programs now have both.)
    >
    > Did you link the Group Policy to the DOMAIN?
    >
    > (Only Domain-Linked GPOs will affect the password,
    > lockout or Kerberos policies. They are domain
    > specific.)
    >
    > --
    > Herb Martin
    >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
    news:24A6378C-0E5B-4666-BBFE-172F9CD2954C@microsoft.com...
    > Yes, it is at the domain level. How could a firewall cause the problem if
    > everyone is behind it?

    In that case it probably couldn't but many people are running
    all sorts of firewall software internally -- XP sp2 even turns
    one on by default and many people running virus suite software
    have the included personal firewall software on, sometimes
    without even knowing it.

    > For some reason I think it is related to Group
    > Shield/McAfee, but not really sure. Any other suggestions?

    First check your authentication and DNS. Most
    such problems are related to those.

    DNS for AD
    1) Dynamic for the zone supporting AD
    2) All internal DNS clients NIC\IP properties must specify SOLELY
    that internal, dynamic DNS server (set.)
    3) DCs and even DNS servers are DNS clients too -- see #2

    Restart NetLogon on any DC if you change any of the above that
    affects a DC and/or use:

    nltest /dsregdns /server:DC-ServerNameGoesHere

    Ensure that DNS zones/domains are fully replicated to all DNS
    servers for that (internal) zone/domain.

    Also useful may be running DCDiag on each DC, sending the
    output to a text file, and searching for FAIL, ERROR, WARN.

    Single Lable domain zone names are a problem Google:
    [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


    --
    Herb Martin


    >
    > "Herb Martin" wrote:
    >
    > > "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in
    message
    > > news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
    > > > I set up a group policy to take affect on our passwords (length,
    > > expiration,
    > > > etc) and should of started today, but it did not take affect. I also
    > > received
    > > > various messages from Alert Manager (Group Shield) this morning and
    was
    > > > wondering if there is any connection. Has anyone experienced a group
    > > policy
    > > > not working due to their virus protection? Is it possible? Any
    > > suggestions?
    > >
    > > Anything is possible but firewalls are more likely
    > > to cause problems than virus (but some security
    > > suite programs now have both.)
    > >
    > > Did you link the Group Policy to the DOMAIN?
    > >
    > > (Only Domain-Linked GPOs will affect the password,
    > > lockout or Kerberos policies. They are domain
    > > specific.)
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >
    > >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Wet,

    I will admin right off the bat that I am not a fan of McAfee AntiVirus
    software. I am a big fan of Norton and TrendMicro. Not sure that your Anti
    Virus software is necessarily causing any problems with this, though.

    Let's do some basic troubleshooting:

    Where did you create this Password Policy?
    What are the settings?
    Is it a separate GPO or is it included with some other GPO? If so, are the
    other parts working?
    Why do you think that it should have started today?
    Do you have any GPOs that are working?
    Have you made sure that DNS is correct? And that all of the clients point
    only to YOUR internal DNS Servers ( and not the ISP's )?
    Have you run 'net accounts' on the Domain Controllers as well as on some of
    the clients? How does that look?

    I would start there!

    I would also suggest that you implement complexity - if you have not done
    so - and educate your users as to what that means. Furthermore, I would
    suggest contacting MS-PSS and getting the fix for the error message that the
    user is given if he/she attempts to change the password to something that
    does not meet with the complexity rules. Out of the box the error message
    is not very useful or informative at all. The new error message - once you
    implement the change - is very specific! The user just needs to read it!

    http://support.microsoft.com/?id=821425

    The call to MS-PSS does not cost you anything as long as you mention that
    you are looking for the fix as discussed in that MSKB Article. They will
    e-mail it to you......Just make sure to give them a valid e-mail address!

    You might also want to take a look at this:

    http://support.microsoft.com/?id=309799

    Might be a bit too much but in my opinion you can never have too much
    security. Just educate the users!


    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
    news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
    >I set up a group policy to take affect on our passwords (length,
    >expiration,
    > etc) and should of started today, but it did not take affect. I also
    > received
    > various messages from Alert Manager (Group Shield) this morning and was
    > wondering if there is any connection. Has anyone experienced a group
    > policy
    > not working due to their virus protection? Is it possible? Any
    > suggestions?
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Well it was working last week because part of the security GP was a splash
    screen I had created that popped up when users went to log onto the network.
    Now that screen does not appear anymore.

    "Cary Shultz [A.D. MVP]" wrote:

    > Wet,
    >
    > I will admin right off the bat that I am not a fan of McAfee AntiVirus
    > software. I am a big fan of Norton and TrendMicro. Not sure that your Anti
    > Virus software is necessarily causing any problems with this, though.
    >
    > Let's do some basic troubleshooting:
    >
    > Where did you create this Password Policy?
    > What are the settings?
    > Is it a separate GPO or is it included with some other GPO? If so, are the
    > other parts working?
    > Why do you think that it should have started today?
    > Do you have any GPOs that are working?
    > Have you made sure that DNS is correct? And that all of the clients point
    > only to YOUR internal DNS Servers ( and not the ISP's )?
    > Have you run 'net accounts' on the Domain Controllers as well as on some of
    > the clients? How does that look?
    >
    > I would start there!
    >
    > I would also suggest that you implement complexity - if you have not done
    > so - and educate your users as to what that means. Furthermore, I would
    > suggest contacting MS-PSS and getting the fix for the error message that the
    > user is given if he/she attempts to change the password to something that
    > does not meet with the complexity rules. Out of the box the error message
    > is not very useful or informative at all. The new error message - once you
    > implement the change - is very specific! The user just needs to read it!
    >
    > http://support.microsoft.com/?id=821425
    >
    > The call to MS-PSS does not cost you anything as long as you mention that
    > you are looking for the fix as discussed in that MSKB Article. They will
    > e-mail it to you......Just make sure to give them a valid e-mail address!
    >
    > You might also want to take a look at this:
    >
    > http://support.microsoft.com/?id=309799
    >
    > Might be a bit too much but in my opinion you can never have too much
    > security. Just educate the users!
    >
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
    > news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
    > >I set up a group policy to take affect on our passwords (length,
    > >expiration,
    > > etc) and should of started today, but it did not take affect. I also
    > > received
    > > various messages from Alert Manager (Group Shield) this morning and was
    > > wondering if there is any connection. Has anyone experienced a group
    > > policy
    > > not working due to their virus protection? Is it possible? Any
    > > suggestions?
    >
    >
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I do not doubt that it was working last week. However, for some reason it
    is
    apparently no longer working. Did you check the things that I suggested?

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
    news:2FF07082-DCE1-4171-A888-0D268F0FFB66@microsoft.com...
    > Well it was working last week because part of the security GP was a splash
    > screen I had created that popped up when users went to log onto the
    > network.
    > Now that screen does not appear anymore.
    >
    > "Cary Shultz [A.D. MVP]" wrote:
    >
    >> Wet,
    >>
    >> I will admin right off the bat that I am not a fan of McAfee AntiVirus
    >> software. I am a big fan of Norton and TrendMicro. Not sure that your
    >> Anti
    >> Virus software is necessarily causing any problems with this, though.
    >>
    >> Let's do some basic troubleshooting:
    >>
    >> Where did you create this Password Policy?
    >> What are the settings?
    >> Is it a separate GPO or is it included with some other GPO? If so, are
    >> the
    >> other parts working?
    >> Why do you think that it should have started today?
    >> Do you have any GPOs that are working?
    >> Have you made sure that DNS is correct? And that all of the clients
    >> point
    >> only to YOUR internal DNS Servers ( and not the ISP's )?
    >> Have you run 'net accounts' on the Domain Controllers as well as on some
    >> of
    >> the clients? How does that look?
    >>
    >> I would start there!
    >>
    >> I would also suggest that you implement complexity - if you have not done
    >> so - and educate your users as to what that means. Furthermore, I would
    >> suggest contacting MS-PSS and getting the fix for the error message that
    >> the
    >> user is given if he/she attempts to change the password to something that
    >> does not meet with the complexity rules. Out of the box the error
    >> message
    >> is not very useful or informative at all. The new error message - once
    >> you
    >> implement the change - is very specific! The user just needs to read it!
    >>
    >> http://support.microsoft.com/?id=821425
    >>
    >> The call to MS-PSS does not cost you anything as long as you mention that
    >> you are looking for the fix as discussed in that MSKB Article. They will
    >> e-mail it to you......Just make sure to give them a valid e-mail address!
    >>
    >> You might also want to take a look at this:
    >>
    >> http://support.microsoft.com/?id=309799
    >>
    >> Might be a bit too much but in my opinion you can never have too much
    >> security. Just educate the users!
    >>
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24014
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in
    >> message
    >> news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
    >> >I set up a group policy to take affect on our passwords (length,
    >> >expiration,
    >> > etc) and should of started today, but it did not take affect. I also
    >> > received
    >> > various messages from Alert Manager (Group Shield) this morning and was
    >> > wondering if there is any connection. Has anyone experienced a group
    >> > policy
    >> > not working due to their virus protection? Is it possible? Any
    >> > suggestions?
    >>
    >>
    >>
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    As Cary said, check his suggestions, and note
    that if it worked last week this argues even stronger
    for a lack of authentication or access to the DCs
    from the computer.

    Or that in the interval the computer account has
    become hosed -- <right click> Reset in AD Users/Computers

    But recognize before you do this that most such
    problems are DNS problems, then authentication
    in general (those authentication problems NOT due
    to DNS problems.)

    --
    Herb Martin


    "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in message
    news:2FF07082-DCE1-4171-A888-0D268F0FFB66@microsoft.com...
    > Well it was working last week because part of the security GP was a splash
    > screen I had created that popped up when users went to log onto the
    network.
    > Now that screen does not appear anymore.
    >
    > "Cary Shultz [A.D. MVP]" wrote:
    >
    > > Wet,
    > >
    > > I will admin right off the bat that I am not a fan of McAfee AntiVirus
    > > software. I am a big fan of Norton and TrendMicro. Not sure that your
    Anti
    > > Virus software is necessarily causing any problems with this, though.
    > >
    > > Let's do some basic troubleshooting:
    > >
    > > Where did you create this Password Policy?
    > > What are the settings?
    > > Is it a separate GPO or is it included with some other GPO? If so, are
    the
    > > other parts working?
    > > Why do you think that it should have started today?
    > > Do you have any GPOs that are working?
    > > Have you made sure that DNS is correct? And that all of the clients
    point
    > > only to YOUR internal DNS Servers ( and not the ISP's )?
    > > Have you run 'net accounts' on the Domain Controllers as well as on some
    of
    > > the clients? How does that look?
    > >
    > > I would start there!
    > >
    > > I would also suggest that you implement complexity - if you have not
    done
    > > so - and educate your users as to what that means. Furthermore, I would
    > > suggest contacting MS-PSS and getting the fix for the error message that
    the
    > > user is given if he/she attempts to change the password to something
    that
    > > does not meet with the complexity rules. Out of the box the error
    message
    > > is not very useful or informative at all. The new error message - once
    you
    > > implement the change - is very specific! The user just needs to read
    it!
    > >
    > > http://support.microsoft.com/?id=821425
    > >
    > > The call to MS-PSS does not cost you anything as long as you mention
    that
    > > you are looking for the fix as discussed in that MSKB Article. They
    will
    > > e-mail it to you......Just make sure to give them a valid e-mail
    address!
    > >
    > > You might also want to take a look at this:
    > >
    > > http://support.microsoft.com/?id=309799
    > >
    > > Might be a bit too much but in my opinion you can never have too much
    > > security. Just educate the users!
    > >
    > >
    > > --
    > > Cary W. Shultz
    > > Roanoke, VA 24014
    > > Microsoft Active Directory MVP
    > >
    > > http://www.activedirectory-win2000.com
    > > http://www.grouppolicy-win2000.com
    > >
    > >
    > >
    > > "WetBehindEars" <WetBehindEars@discussions.microsoft.com> wrote in
    message
    > > news:35328F15-3C96-462C-9AFE-C74759BD56EC@microsoft.com...
    > > >I set up a group policy to take affect on our passwords (length,
    > > >expiration,
    > > > etc) and should of started today, but it did not take affect. I also
    > > > received
    > > > various messages from Alert Manager (Group Shield) this morning and
    was
    > > > wondering if there is any connection. Has anyone experienced a group
    > > > policy
    > > > not working due to their virus protection? Is it possible? Any
    > > > suggestions?
    > >
    > >
    > >
Ask a new question

Read More

Policy Microsoft Active Directory Windows