Re: Default Domain password policy issue

Per Darrens's advice are there any scecli error/warnings in the application
log or error/warnings in the other logs that may be related on the domain
controllers??

The domain controllers are members of authenticated users. Try running the
support tool gpresult on the domain controllers to see what the results show
as for applied Group Policy objects for computer settings. I would also run
the support tool netdiag on the domain controllers to see if any problems
are found for DNS,etc and the Resource Kit tool gpotool looking for Group
Policy replication/version problems.

Steve


"rb97685" <rb97685@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5D987094-C7BE-4980-8B1B-8C04D7F464BF@xxxxxxxxxxxxxxxx
Ok. Checked Block Inheritance, not enabled. Default Domain Policy is
linked
to the domain container, at the top of the list. No deny permissions are
listed. Here are the permissions listing, looks good:

Name Allowed Permissions Inherited
* NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
* NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
* NT AUTHORITY\SYSTEM Edit settings No
* TASTY\Domain Admins Edit settings, delete, modify security No
* TASTY\Enterprise Admins Edit settings, delete, modify security No

I did notice within Security Filtering, the only entries are listed as:

Security Filtering
The settings in this GPO can only apply to the following groups, users,
and
computers:
Name
* NT AUTHORITY\Authenticated Users
* TASTY\Domain Admins
* TASTY\Enterprise Admins

Should Enterprise Domain Controllers be in the above list? Thanks for all
your help.

"Steven L Umbach" wrote:

Make sure that the default domain GPO is linked to the domain container
and
at the top of the list [assuming that is what you want], that it is
enabled,
that computer configuration settings are enabled, that authenticated
users
have read and apply Group Policy permissions to the GPO, and that there
are
no deny permissions for that GPO.

Steve


"rb97685" <rb97685@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F2247C19-0A64-4799-BD44-5B3215F545DE@xxxxxxxxxxxxxxxx
RSoP on the domain controllers shows password policy as not defined. No
Source GPO found.

"Steven L Umbach" wrote:

Run rsop.msc on each domain controller and check the results for
password
policy and the source GPO to see if they are what you expect. Keep in
mind
that if you have more than one GPO linked to the domain container the
GPO
at
the top of the list takes precedence and can override what is shown in
Domain Security Policy if password policy is configured in a GPO above
the
default domain GPO in the list.

Steve


"rb97685" <rb97685@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:00FED3EB-1B1A-4670-BE3D-AD7D9FD85ABA@xxxxxxxxxxxxxxxx
We're having a problem where we have enabled password complexity
requirements
at the Default Domain policy level in our organization. Upon
testing,
it
looks as if this policy is not being applied to many of our
desktops.
Here's
are scenario:

* 2 Domain Controllers (Windows Server 2003)
* Primarily XP desktops

* I logged into one of our domain controllers, ran gpupdate, then
opened
up
gpedit.msc. The old, simple password policy appears cached on this
machine.
Settings are grayed out, cannot be changed from the console
directly.
* From my client machine, I opened up the GPMC snap-in, connected to
both
DCs and reviewed policy settings. Both show as the new settings as
having
been applied.
* While connected via GPMC to the DC in question, I changed
settings,
applied. The re-applied password complexity.
* Logged back onto DC console, checked gpedit. Old policy is still
cached.

Anybody know what is going on here, and how do I get rid of this
apparently
cached policy on this one DC? Thanks








.

Relevant Pages

  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO not picking up computer settings
    ... to the domain container with the password/account settings you want. ... for password/account settings and from what GPO. ... buying any of the highly rated AD or Group Policy books you see at Amazon or ... I have changed all the passwords back to what they were so users are now ...
    (microsoft.public.windows.server.security)
  • Re: Local GPO refreshes outside of refresh interval
    ... I looked through my GPO's Windows Settings section ... > Some policies, including IE policies, have a checkbox that defines if this ... > it should apply EVEN if the value defined in GPO did not change since the ... we are talking about one particular policy: ...
    (microsoft.public.windows.group_policy)
  • Re: Default Domain Policy Doesnt Apply
    ... Also to add that Group Policies are by default applied in this ... level will be overriden by any defined settings at the site, domain, OU ... account policies] are not being applied to the domain controllers since they ... > password and lockout policy can ony be set at the domain level for domain ...
    (microsoft.public.win2000.group_policy)