Re: Default Domain password policy issue
- From: rb97685 <rb97685@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 25 Jul 2006 12:01:03 -0700
Ok. Checked Block Inheritance, not enabled. Default Domain Policy is linked
to the domain container, at the top of the list. No deny permissions are
listed. Here are the permissions listing, looks good:
Name Allowed Permissions Inherited
* NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
* NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
* NT AUTHORITY\SYSTEM Edit settings No
* TASTY\Domain Admins Edit settings, delete, modify security No
* TASTY\Enterprise Admins Edit settings, delete, modify security No
I did notice within Security Filtering, the only entries are listed as:
Security Filtering
The settings in this GPO can only apply to the following groups, users, and
computers:
Name
* NT AUTHORITY\Authenticated Users
* TASTY\Domain Admins
* TASTY\Enterprise Admins
Should Enterprise Domain Controllers be in the above list? Thanks for all
your help.
"Steven L Umbach" wrote:
Make sure that the default domain GPO is linked to the domain container and.
at the top of the list [assuming that is what you want], that it is enabled,
that computer configuration settings are enabled, that authenticated users
have read and apply Group Policy permissions to the GPO, and that there are
no deny permissions for that GPO.
Steve
"rb97685" <rb97685@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F2247C19-0A64-4799-BD44-5B3215F545DE@xxxxxxxxxxxxxxxx
RSoP on the domain controllers shows password policy as not defined. No
Source GPO found.
"Steven L Umbach" wrote:
Run rsop.msc on each domain controller and check the results for password
policy and the source GPO to see if they are what you expect. Keep in
mind
that if you have more than one GPO linked to the domain container the GPO
at
the top of the list takes precedence and can override what is shown in
Domain Security Policy if password policy is configured in a GPO above
the
default domain GPO in the list.
Steve
"rb97685" <rb97685@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:00FED3EB-1B1A-4670-BE3D-AD7D9FD85ABA@xxxxxxxxxxxxxxxx
We're having a problem where we have enabled password complexity
requirements
at the Default Domain policy level in our organization. Upon testing,
it
looks as if this policy is not being applied to many of our desktops.
Here's
are scenario:
* 2 Domain Controllers (Windows Server 2003)
* Primarily XP desktops
* I logged into one of our domain controllers, ran gpupdate, then
opened
up
gpedit.msc. The old, simple password policy appears cached on this
machine.
Settings are grayed out, cannot be changed from the console directly.
* From my client machine, I opened up the GPMC snap-in, connected to
both
DCs and reviewed policy settings. Both show as the new settings as
having
been applied.
* While connected via GPMC to the DC in question, I changed settings,
applied. The re-applied password complexity.
* Logged back onto DC console, checked gpedit. Old policy is still
cached.
Anybody know what is going on here, and how do I get rid of this
apparently
cached policy on this one DC? Thanks
- Follow-Ups:
- Re: Default Domain password policy issue
- From: Steven L Umbach
- Re: Default Domain password policy issue
- References:
- Re: Default Domain password policy issue
- From: Steven L Umbach
- Re: Default Domain password policy issue
- From: Steven L Umbach
- Re: Default Domain password policy issue
- Prev by Date: Re: Default Domain password policy issue
- Next by Date: Re: Default Domain password policy issue
- Previous by thread: Re: Default Domain password policy issue
- Next by thread: Re: Default Domain password policy issue
- Index(es):
Relevant Pages
|
Loading
