Re: Please help GPO's - MVP's

From: Herb Martin (news_at_LearnQuick.com)
Date: 10/16/04

• Next message: Armin Linder: "Removing the first DC from the forest root domain"
• Previous message: Armin Linder: "Postprocessing for AD user management"
• In reply to: davran: "Please help GPO's - MVP's"
• Messages sorted by: [ date ] [ thread ]

Date: Sat, 16 Oct 2004 13:14:39 -0500

"davran" <davran@discussions.microsoft.com> wrote in message
news:1E2E9ED1-61EF-4479-BACB-35067A638264@microsoft.com...
> Network is Win2000 advanced servers.
>
> I have a domain with 12 servers. I configured the security section of
> default domain security policy but these setting are not showing on the
> member servers when I look at the local policy and look at the effective
> settings.

First it is generally a bad idea to modify the default domain
poilicy (at least inititally) but rather it is preferred to add an
additional policy so that you may distinguish your own changes
from the MS provided defaults -- and differentially disable them
if that ever becomes necessary.

> I have even configured local policies using 'security and configurayion
> analysis' and defined Password policies, account policies, user rights and
> assignments and security options..All these are fine and work except the
> security options which still show default settings.

Local policies for "Security Account Policies" (including Password)
are only going to affect Local Account logon (not domain accounts.

Domain "Security Account Policies" can only be effectively Linked
at the DOMAIN level but you seem to have done that by chaning the
Default Domain Policy.

> Anyone know why my configured security options are not showing.? Also

Several possibilities are obvious for your first checks:

    1) The GPO was edited didn't replicate to the other (authenticating) DCs
    2) The machines are not members of the domain
    3) The machines are members but not authenticating properly or failing
        to retrieve the GPO from the DC.
    4) It isn't really domain linked (e.g., using Def. DC policy by mistake)
    5) A later policy (on the domain in this case) is overriding
    6) Permission problems -- user/computer must have Read & Apply_Policy

#5 and #6 are unlikely to happen by accident but are included for
completeness. #1 and #3 are usually DNS problems. #2 is trivial
to check as is #4.

> I have configured the warning message on the default domain policy to
> display a warning message. This is displayed OK on the domain controllers
but
> do not display on the members servers...anyone know why..?

Perhaps you used the "Default Domain CONTROLLER policy" for
these?

Since it appears to be affecting the DCs but not the domain wide
machine and user logons...this seems a strong possibility and is
quick to (double) check.

You might also run DCDiag to confirm you DC/DNS setup and
ensure replication.

-- 
Herb Martin
> Please help
>

• Next message: Armin Linder: "Removing the first DC from the forest root domain"
• Previous message: Armin Linder: "Postprocessing for AD user management"
• In reply to: davran: "Please help GPO's - MVP's"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint