DC GPO - password policy not enforced

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

In the Domain DC GPO, I have changed some files system security and suddenly
the password policies failed.

The password policies settings are still in the GPO file. I can read the
settings from the AD users and Computers. However when I log onto a DC and
check the local security settings, it says "not defined" for the password
policies. All other policies are in effect and there is no error in the
event log.

When I look into the winlogon.log, all errors I can find is the

error 0 to send control flag 1 over to server
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND

and a file fail file system security items which is quite normal.

Any idea?

Any solution?

Thanks in advance.

----------------------------------------------------------------------------
--------

> Is the password policy defined in the default domain policy? If not, it
must be defined there.

----------------------------------------------------------------------------
--------

It was defined. It is defined. In fact, most if not all items in the default
domain controller policy - machine are defined.

All policies including security, auditing, file system, registry, etc
reflect on the domain controller on the next update.

When I start the "local security setting" on one of the DCs it said those
settings are effective.

however password policy is marked "NOT defined" on the local although they
are defined in the policy.

In fact, not even the local policy on the DC is effective.

So I have something like this:

Local defined password age: 42 days
Policy defined password age: 90 days
Effective password age: not defined.

----------------------------------------------------------------------------
--------

> What did you change that prompted this?

----------------------------------------------------------------------------
--------

1) I have added a new DC to the domain
2) The DC did no take in the DC policies so I went though the DC policies
3) I removed some dupicated entries in the file system section
4) I removed all "Everyone" security right from the remain entries in the
file system section
5) I removed all "Server Operator" security right from the remain entries in
the file system section
6) The new DC is still not working, so I debug the winlogon and found that
it missed the %sysvol% variable
7) The new DC is finally taking in the DC policies, I found that the
password policies are not working
8) I found that the password policies are not working on other DCs as well
9) I am very sure that the password policies was working the week before
because I made some small adjustment
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Which GPO? the Domain GPO is where the password policy is enforced. Are you
setting it in the Domain Controller GPO?

Kevin

"Jeremy Sun" <binmann@hotmail.com> wrote in message
news:e9RrocvjEHA.704@TK2MSFTNGP10.phx.gbl...
> In the Domain DC GPO, I have changed some files system security and
suddenly
> the password policies failed.
>
> The password policies settings are still in the GPO file. I can read the
> settings from the AD users and Computers. However when I log onto a DC and
> check the local security settings, it says "not defined" for the password
> policies. All other policies are in effect and there is no error in the
> event log.
>
> When I look into the winlogon.log, all errors I can find is the
>
> error 0 to send control flag 1 over to server
> GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND
>
> and a file fail file system security items which is quite normal.
>
> Any idea?
>
> Any solution?
>
> Thanks in advance.
>
> --------------------------------------------------------------------------
--
> --------
>
> > Is the password policy defined in the default domain policy? If not, it
> must be defined there.
>
> --------------------------------------------------------------------------
--
> --------
>
> It was defined. It is defined. In fact, most if not all items in the
default
> domain controller policy - machine are defined.
>
> All policies including security, auditing, file system, registry, etc
> reflect on the domain controller on the next update.
>
> When I start the "local security setting" on one of the DCs it said those
> settings are effective.
>
> however password policy is marked "NOT defined" on the local although they
> are defined in the policy.
>
> In fact, not even the local policy on the DC is effective.
>
> So I have something like this:
>
> Local defined password age: 42 days
> Policy defined password age: 90 days
> Effective password age: not defined.
>
> --------------------------------------------------------------------------
--
> --------
>
> > What did you change that prompted this?
>
> --------------------------------------------------------------------------
--
> --------
>
> 1) I have added a new DC to the domain
> 2) The DC did no take in the DC policies so I went though the DC policies
> 3) I removed some dupicated entries in the file system section
> 4) I removed all "Everyone" security right from the remain entries in the
> file system section
> 5) I removed all "Server Operator" security right from the remain entries
in
> the file system section
> 6) The new DC is still not working, so I debug the winlogon and found that
> it missed the %sysvol% variable
> 7) The new DC is finally taking in the DC policies, I found that the
> password policies are not working
> 8) I found that the password policies are not working on other DCs as well
> 9) I am very sure that the password policies was working the week before
> because I made some small adjustment
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Kevin Sullivan" <ksullivan@autoprof.com> ¦b¶l¥ó
news:%23r45oi1jEHA.3624@TK2MSFTNGP10.phx.gbl ¤¤¼¶¼g...
> Which GPO? the Domain GPO is where the password policy is enforced. Are
you
> setting it in the Domain Controller GPO?
>
> Kevin

Yes.

As I have said, all other policies are enforced. Only those related to
password, are not.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

If your saying "yes" to the Domain Controller GPO then this is your issue.
The password policy will only be processed from the Default Domain Policy.
Any password settings in other GPOs including the Default Domain Controller
Policy will be ignored.


"Jeremy Sun" <binmann@hotmail.com> wrote in message
news:%23S1trS8jEHA.2788@tk2msftngp13.phx.gbl...
> "Kevin Sullivan" <ksullivan@autoprof.com> ¦b¶l¥ó
> news:%23r45oi1jEHA.3624@TK2MSFTNGP10.phx.gbl ¤¤¼¶¼g...
> > Which GPO? the Domain GPO is where the password policy is enforced. Are
> you
> > setting it in the Domain Controller GPO?
> >
> > Kevin
>
> Yes.
>
> As I have said, all other policies are enforced. Only those related to
> password, are not.
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Kevin Sullivan" <ksullivan@autoprof.com> ¦b¶l¥ó
news:euUFsp8jEHA.2412@TK2MSFTNGP15.phx.gbl ¤¤¼¶¼g...
> If your saying "yes" to the Domain Controller GPO then this is your issue.
> The password policy will only be processed from the Default Domain Policy.
> Any password settings in other GPOs including the Default Domain
Controller
> Policy will be ignored.

1) You are professional
2) I am an idiot
3) Thank you and thank you

Wish everybody a good day.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I was having this same issue and have changed my policy to the default
domain policy, but had a couple of questions:

1. Is there some place that Microsoft describes this behavior? Is it
new? I could have sworn it worked in W2k SP2(ish)...
2. Are there other polices that will only be processed if they are
applied to certian OUs or at the Site/Domain level?


Thanks in Advance!

Mark Hanson
Network Admin
Adams County Shcool District 50


Kevin Sullivan wrote:
> *If your saying "yes" to the Domain Controller GPO then this is your
> issue.
> The password policy will only be processed from the Default Domain
> Policy.
> Any password settings in other GPOs including the Default Domain
> Controller
> Policy will be ignored.
>
>
> "Jeremy Sun" <binmann@hotmail.com> wrote in message
> news:%23S1trS8jEHA.2788@tk2msftngp13.phx.gbl...
> > "Kevin Sullivan" <ksullivan@autoprof.com> ¦b¶l¥ó
> > news:%23r45oi1jEHA.3624@TK2MSFTNGP10.phx.gbl ¤¤¼¶¼g...
> > you
> >
> > Yes.
> >
> > As I have said, all other policies are enforced. Only those related
> to
> > password, are not.
> >
> > *



--
laser47
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1008694.html
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

That has always been the case for domain users account polices can only be configured
at the domain level. If you configure it at the OU level it can however apply to
"local" user accounts on the domain computers in that OU. See the KB link below for
more details. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;255550

"laser47" <laser47.1cllc6@mail.mcse.ms> wrote in message
news:laser47.1cllc6@mail.mcse.ms...
>
> I was having this same issue and have changed my policy to the default
> domain policy, but had a couple of questions:
>
> 1. Is there some place that Microsoft describes this behavior? Is it
> new? I could have sworn it worked in W2k SP2(ish)...
> 2. Are there other polices that will only be processed if they are
> applied to certian OUs or at the Site/Domain level?
>
>
> Thanks in Advance!
>
> Mark Hanson
> Network Admin
> Adams County Shcool District 50
>
>
> Kevin Sullivan wrote:
>> *If your saying "yes" to the Domain Controller GPO then this is your
>> issue.
>> The password policy will only be processed from the Default Domain
>> Policy.
>> Any password settings in other GPOs including the Default Domain
>> Controller
>> Policy will be ignored.
>>
>>
>> "Jeremy Sun" <binmann@hotmail.com> wrote in message
>> news:%23S1trS8jEHA.2788@tk2msftngp13.phx.gbl...
>> > "Kevin Sullivan" <ksullivan@autoprof.com> ¦b¶l¥ó
>> > news:%23r45oi1jEHA.3624@TK2MSFTNGP10.phx.gbl ¤¤¼¶¼g...
>> > you
>> >
>> > Yes.
>> >
>> > As I have said, all other policies are enforced. Only those related
>> to
>> > password, are not.
>> >
>> > *
>
>
>
> --
> laser47
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message1008694.html
>