Weirdness inAD tied to Cert Server?
- From: "Jerry Mickman" <no-mail@xxxxxxxxxxx>
- Date: Fri, 28 Apr 2006 08:41:03 -0500
Hi All,
On a Win2003 SP1 Active Directory Forest/Tree, certificate server was
installed on the primary DC. Could certificate server not being configured
properly cause the following problems? The workstations are Windows 2000
Pro SP4.
1) Weird password policy problems. When some users (but not all) try to
change their password, they will sometimes get an error regarding the
password policy: "The password does not meet the password policy
requirements. Check password complexity The problem is that the default
domain password policies are NOT enforced, with the exception of length,
which is 1 character. None of the policies on our network seem to have
anything to do with passwords, with the excpeption of the length. And there
are no local policies in effect having anything to do with passwords either.
The weird thing is that an administrator CAN set the password to anything
using ADUandC, so that's why I'm thinking this isn't a policy issue.
I ran a GPRESULT /Z on the workstation, and here's the results:
~~~~~~~
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Friday, April 28, 2006 at 8:27:48 AM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Not supported
###############################################################
User Group Policy results for:
CN=Test User,OU=Corporate Users,OU=Corporate
Office,OU=Org,DC=Company,DC=com
Domain Name: Company
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming profile: (None)
Local profile: C:\Documents and Settings\testuser
The user is a member of the following security groups:
Company\Domain Users
\Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
Company\CERTSVC_DCOM_ACCESS
###############################################################
Last time Group Policy was applied: Friday, April 28, 2006 at 8:21:34 AM
###############################################################
Computer Group Policy results for:
CN=VM-WIN2K-NW1,CN=Computers,DC=Company,DC=com
Domain Name: Company
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
Company\VM-WIN2K-NW1$
Company\Domain Computers
Company\CERTSVC_DCOM_ACCESS
###############################################################
Last time Group Policy was applied: Friday, April 28, 2006 at 8:19:59 AM
Group Policy was applied from: qcdom.qcholdings.com
===============================================================
The computer received "Registry" settings from these GPOs:
Local Group Policy
===============================================================
The computer received "Security" settings from these GPOs:
Local Group Policy
==============================================================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
~~~~~~~~~~~~
2) The domain has a policy that renames the local administrator account on
workstations or servers that join the domain. Some of the servers and
workstations seem to have recently had their local administrator accounts
renamed back to "Administrator," but not all of the servers.
3) Some weird password problems, where people have been told that their
passwords have expired, even though there's no expiration date set on the
user accounts. And then, they can't change the passwords, as mentioned in
"1."
If the certificate server is causing these problems, can certificate server
be from the tree/forest?
.
- Prev by Date: Re: Upgrade Network from 2000 to 2003
- Next by Date: Re: Query for accounts that will expire
- Previous by thread: AD and win 2003 server
- Next by thread: Re: Query based security groups
- Index(es):
Relevant Pages
|
