Policy changes are not recognized
From: Ed Ireland (EdIreland_at_discussions.microsoft.com)
Date: 01/28/05
- Next message: pbrill1: "W2K3 Group Policy - Delegating Authority to Start/Stop services"
- Previous message: steve: "system policy question"
- Next in thread: Steven L Umbach: "Re: Policy changes are not recognized"
- Reply: Steven L Umbach: "Re: Policy changes are not recognized"
- Reply: Roger Abell: "Re: Policy changes are not recognized"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 28 Jan 2005 09:23:04 -0800
Any help would be greatly appreciated!
I'm having trouble turning off a GP set at the Domain level.
The "Default Domain Security Policy" only addresses the "password policy"
settings under "Computer Configuration | Windows Settings | Security Settings
| Account Policies". This policy requires password renewal every 38 days, 0
days minimum duration, 8 character min length, etc., for users that are not a
member of a "Domain Static Authentication" security group that I created.
The "Default Domain Security Policy" is the second of two GP's at the Domain
level. The first policy, "Default Domain Policy" contains no settings
related to "password policy"
The policy worked well when first implemented, only affecting those not
contained in the Domain Static Auth group.
I configured this as detailed in MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;322176 under the
section: "How to Filter the Scope of Group Policy According to Security Group
Membership"
Opening Properties | Security on the Default Domain Security Policy shows
that the Security group Domain Static Authentication is allowed "READ" and
denied "Apply Group Policy".
Now, I need to turn off the policy, but am unable to do so. The users that
the policy was originally applied to are still being asked to renew their
password.
I have tried:
-adding the users that I do not want affected to the Domain Static Auth group
-disabling the Default Domain Security Policy
-checking for block inheritance settings (found none)
-deleting the Default Domain Security Policy (now recreated)
-running the secedit / refreshpolicy commands from the domain controller,
and the GPUDATE command from the XP client as referenced in
http://support.microsoft.com/default.aspx?scid=kb;en-us;887421
GPResult reports:
"Default Domain Security Policy"
Filtering: Denied (Security)
Please let me know what I have done wrong.
Thanks -- Ed
- Next message: pbrill1: "W2K3 Group Policy - Delegating Authority to Start/Stop services"
- Previous message: steve: "system policy question"
- Next in thread: Steven L Umbach: "Re: Policy changes are not recognized"
- Reply: Steven L Umbach: "Re: Policy changes are not recognized"
- Reply: Roger Abell: "Re: Policy changes are not recognized"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
