Sign in with
Sign up | Sign in
Your question

Account Policies do not appear to apply

Last response: in Windows 2000/NT
Share
Anonymous
April 28, 2005 11:32:59 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have a domain consisting of about 150 workstations with an active
dirctory structure that includes both a win2k server and a win2003
server. I recently started applying group policies. To make the changes
I have been going to my Active Directory user and computers tool and
right clicking on the domain. I then go to the group policy tab and
edit the "default domain policy".

Machine/computer policies such as logon message and logon title appear
to work fine and User configuration changes for I.E. appear to apply
as well. However, machine policies such as password length, password
max age, and account revocation do not seem to work. I say they are not
applying because I have done things such as making invalid logon
attempts and forcing a password change and I have not been challenged
by any policy.

My goal is to control user password changes and user access to the
domain with a policy. However, it dawned on me last evening that what I
might actually be doing with my policy is setting those controls for
each of my 150 local machines rather than at the domain level. Could
that be the case? Am I looking at the use of these policies
incorrectly? Any advice would be greatly appreciated.

I apologize if I rambled, this is my first post.

More about : account policies apply

Anonymous
April 28, 2005 5:19:09 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Additional information. I downloaded GPMC to my 2003 server. It shows
me that my policy is being applied to a test winxp pro workstation. I
have verified that my password length, history and account lockout are
indeed working for the local accounts, but it is clearly not being
applied to domain accounts. Again, I am stumped.
Anonymous
April 28, 2005 6:44:10 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

In AD Users and Computers, Right Click your Domain Name, Click Properties,
click the Group Policy Tab, Highlight the "Default Domain Policy" then click
the edit button.
Go To > Computer Configuration>Windows Settings>Security Settings>Account
Policies>Password Policy. In the right pane you'll have 6 choices. Make sure
you understand what each one does and what you are setting. Once those are
set it will effect the password policy for your entire domain.

Note: Although you can set this same policy at the OU level Password
Policies are only effective at the domain level. Local, UO or Site Policies
will not change the Default Domain Policy when it comes to password policies.

Hope that helps.
--
Michael E. McAteer
Network Engineer
MCSA, MCSE, CNA, A+


"Biff" wrote:

> I have a domain consisting of about 150 workstations with an active
> dirctory structure that includes both a win2k server and a win2003
> server. I recently started applying group policies. To make the changes
> I have been going to my Active Directory user and computers tool and
> right clicking on the domain. I then go to the group policy tab and
> edit the "default domain policy".
>
> Machine/computer policies such as logon message and logon title appear
> to work fine and User configuration changes for I.E. appear to apply
> as well. However, machine policies such as password length, password
> max age, and account revocation do not seem to work. I say they are not
> applying because I have done things such as making invalid logon
> attempts and forcing a password change and I have not been challenged
> by any policy.
>
> My goal is to control user password changes and user access to the
> domain with a policy. However, it dawned on me last evening that what I
> might actually be doing with my policy is setting those controls for
> each of my 150 local machines rather than at the domain level. Could
> that be the case? Am I looking at the use of these policies
> incorrectly? Any advice would be greatly appreciated.
>
> I apologize if I rambled, this is my first post.
>
>
Related resources
Anonymous
April 29, 2005 9:59:45 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Michael,
Thanks for the reply
I verified and followed your steps with the following exception. The
only GPO I can find and access on my system with the word "domain" in
it is "default domain NEW policy". I cannot locate any gpo called
"default domain policy". Is the "default domain policy" treated
differently when processed?

Biff
Anonymous
April 29, 2005 6:26:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I'm in total agreement with Lara. Yes it is handeled differently. As
mentioned in my privious post the only policy that is alowed to control
Passwords is the Default Domain Policy. Even though you find the settings in
any policy they are only applied to teh entire domain. If it's been deleted
and replaced by someone you need to find a way to recreate it properly. Not
sure how to do that but I'm sure MS has a fix for that, i doubt your the only
one.

Hope that helps.
--
Michael E. McAteer
Network Engineer
MCSA, MCSE, CNA, A+


"Biff" wrote:

> Michael,
> Thanks for the reply
> I verified and followed your steps with the following exception. The
> only GPO I can find and access on my system with the word "domain" in
> it is "default domain NEW policy". I cannot locate any gpo called
> "default domain policy". Is the "default domain policy" treated
> differently when processed?
>
> Biff
>
>
Anonymous
April 29, 2005 6:50:00 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Biff" wrote:
> Michael,
> Thanks for the reply
> I verified and followed your steps with the following
> exception. The
> only GPO I can find and access on my system with the word
> "domain" in
> it is "default domain NEW policy". I cannot locate any gpo
> called
> "default domain policy". Is the "default domain policy"
> treated
> differently when processed?
>
> Biff

Hi,

It sounds like someone may have deleted your Default Domain Policy? Is
this the case? If it is then that is a Big No No. The Default Domain
Policy and the Default Domain Controllers Policy have unique GUIDS
that identify them. In fact the GUID’s are identical on each
installation of Windows 2000 Domain.

The Default Domain Policy and the Default Domain Controllers Policy
are identified by these GUIDs. They contain a lot of necessary default
settings that are required by the domain.

The Default Domain Policy GUID (located in
C:\windows\sysvol\sysvol\domain.name\policies) is
{31B2F340-016D-11D2-945F-00C04FB984F9}

The Default Domain Controllers GUID is
{6AC1786C-016F-11D2-945F-00C04fB984F9}

Check and see if these GUID’s exist on your DC in your
C:\windows\sysvol\sysvol\domain.name\policies folder. If not
then you may have to recreate them by installing a separate new W2k/03
Domain and copying the folders over.

If the Do exist Right Click the Domain - Go to Group Policy tab and
click "add". Click the "All" tab and see if the Default Domain
Policy is there.

Good Luck

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Account-Polic...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1184428
Anonymous
May 2, 2005 11:02:22 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

My thanks to both you and lara for replying.

I believe we are all on track with this. Now the difficult task is
figuring out how to fix it!
I have found a program from microsoft called dcgpofix. It is supposed
to restore both the "default domain policy" and
the default "domain controllers policy" to their clean install state.
however, I'm a little squeemish about using it without a little more
research even though It should not effect my current policies.

Thanks again!
Biff
Anonymous
May 2, 2005 6:29:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

I actually had to restore all my SYSVOL when a drive got corrupted and
then replicated. I lost all my SYSVOL GUID Policy Folders. Basically
what I did was got a copy of the actual GUID folders from another
Domain and put it back into my SYSVOL. The trick was creating the name
in Group Policy to match the GUID and then going through the Local
Security Policies - User Rights Assignment in the Domain Controllers
to make sure the accounts were correct.

Have you checked to see if the GUID folders still exist?

I found this info on the tool.
>For general backup and restore of the Default Domain Policy and
>Default Domain Controller Policy, and also for other GPOs, Microsoft
>recommends that you use the Group Policy Management Console (GPMC) to
>create regular backups of these GPOs. You can then use GPMC in
>conjunction with these backups to restore the exact security settings
>that are contained in these GPOs.
>
>For more information about the GPMC, visit the following Microsoft
Web
>site:
>http://www.microsoft.com/windowsserver2003/gpmc/default...
>
>"If you are in a disaster recovery scenario and you do not have any
>backed up versions of the Default Domain Policy or the Default Domain
>Controller Policy, you may consider using the Dcgpofix tool. If you
>use the Dcgpofix tool, Microsoft recommends that as soon as you run
>it, you review the security settings in these GPOs and manually
adjust
>the security settings to suit your requirements." A fix is not
>scheduled to be released because Microsoft recommends you use GPMC to
>back up and restore all GPOs in your environment. The Dcgpofix tool
is
>a disaster-recovery tool that will restore your environment to a
>functional state only. It is best not to use it as a replacement for
a
>backup strategy using GPMC. It is best to use the Dcgpofix tool only
>when a GPO back up for the Default Domain Policy and Default Domain
>Controller Policy does not exist.


--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Account-Polic...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1188955
!