Re: remove domain gp settings

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Mike Koch (mikey_at_NOSPAMebgames.com)
Date: 12/27/04 

Date: Mon, 27 Dec 2004 10:49:23 -0500

Hi Rebecca,

The default domain policy was indeed cached, and the rsop.msc confirmed it,
but running "gpupdate /force" had no effect. I did fix the problem this
morning, though, and here's how (although I'm still not clear on why this
happened.)

Part of our normal routine when building workstations is to rename the
default administrator account - something I did NOT do when building this
particular machine (the SMS OSD docs said to leave it at the default).
Apparently, something in our default domain policy uses the renamed account
and not "Administrator". This part confuses me, as I thought the policies
used the account SIDs, not the actual name, but when I did a "findstr /I
'Cannot find' %systemroot$\security\logs\winlogon.log", it returned several
lines containing the renamed account.

To fix the problem, I had to rename the administrator account to the name we
use, then rejoin the machine to the domain. Once the default domain policy
successfully applied, I unjoined the domain, rebooted, then renamed the
account back to Administrator, and now everything is working properly.

Thanks for your assistance, and if you can explain why this happened in more
detail, I'd be most appreciative.

Best Regards,
Mike

"Rebecca Chen [MSFT]" <v-rebc@online.microsoft.com> wrote in message
news:1B097SY6EHA.1512@cpmsftngxa10.phx.gbl...
> Hi Mike,
>
> I suspect the domain policy has been cached in your client.
>
> Please issue the command "rsop.msc" in run box, can you see the domain
> policy applied to this client? If so, please issue the command "gpupdate
> /force" to refresh the group policy and restart the machine to test this
> issue.
>
> If the issue persists, please save the result of rsop.msc and send me
> (v-rebc@microsoft.com) for research.
>
> Any update, let us get in touch!
>
> Best regards,
>
> Rebecca Chen
>
> MCSE2000 MCDBA CCNA
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Relevant Pages

  • Re: Problem running a script
    ... ' UserAccountControl .vbs ... ' Here is where we set the value to enable the account ... ' The heart of this script - Enable users ... how do I determine which part of domain policy is stopping this from running so that I can disable it. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Account Lockout Threshold change - Not taking effect
    ... This posting is provided "AS IS" with no warranties, ... The GPO (Default Domain Policy) that has the account lockout setting ...
    (microsoft.public.windows.server.active_directory)
  • Re: MP Control Manager Issue
    ... The server is not a DC. ... Do not know if there is a domain policy, ... >> this MP Control Manager Issue which I did not have in the test lab setup. ... If using a standard SQL security account, ...
    (microsoft.public.sms.admin)
  • Re: Service accounts and domain policies
    ... the domain policy will override the account setting... ... "Paul Adare" wrote: ...
    (microsoft.public.security)
  • Re: Default Domain Policy
    ... done in an Exchange Server 2003 classroom with 8 domains with the same ... > Exactly what settings are you setting in the Domain Policy and what are ... >> true and stating that there can only be a single account policy in effect ... >> anyone who takes the time to test, that more restrictive policies can be ...
    (microsoft.public.windows.server.active_directory)