On domain controllers, it has not changed the net accounts setting
from Unlimited. I can manually set the net accounts using /maxpwage,
and that command is effective in expiring passwords. I have run
gpupdate /force on all domain controllers, validated FRS, and ran
gpresult /v to see what policies are being applied. Here are the
redacted results of that command:
Applied Group Policy Objects
-----------------------------
Domain Password Policy
Default Domain Controllers Policy
Default Domain Policy
AutoEnrollment
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Account Policies
----------------
GPO: Default Domain Policy
Policy: MaxServiceAge
Computer Setting: 600
GPO: Default Domain Policy
Policy: MaxTicketAge
Computer Setting: 10
GPO: Default Domain Policy
Policy: MaxClockSkew
Computer Setting: 5
GPO: Default Domain Policy
Policy: MaxRenewAge
Computer Setting: 7
As you can tell the "Domain Password Policy" is being applied, but
none of the account policies are being set. I have already attempted
to set the policy to "enforced" to prevent block inheritance, but that
did not change the gpresult output. Reverting back to the Default
Domain Policy was not effective either.
What could be preventing the GPO from being effective?
Hi,
The only place that the password policy can be placed for domain
accounts is in the default domain policy linked at the domain or any
other policy with the HIGHEST priority.
Verify that this new policy has the highest priority at the domain
level and verify that it first replicates and of coarse applies to the
domain controllers.
As you can see from net accounts it is still getting information from
the default domain policy
Good luck
Harj Singh
Password Policy done right
www.specopssoft.com
If your default Domain Controllers group policy is blocking policy
inheritance, then it would never get the changes for the password policy.
I hope this helps,
I moved the policy to the #1 priority level, and it did not change the
account policy on the domain controller. I have validated the GPO has
replicated to all domain controllers using the gpotool command.
>>If your default Domain Controllers group policy is blocking policy inheritance, then it would never get the changes for the password policy.
Would not the "enforced" check override any block inheritance?
The rsop.msc shows the Default Domain Policy still setting those
entries even after ensuring that policy is configured with account
password policies as "not defined."
On Jul 26, 3:02 pm, Rob (Microsoft)
Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Scripting Group Policy Settings with the GPExpert Scripting Toolkit for
PowerShell!
Find out more at http://www.sdmsoftware.com/products2.php
Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
"Bowulf" <bow...@gmail.com> wrote in message
news:1185488626....@l70g2000hse.googlegroups.com...
Friendly name: Default Domain Policy
Created: 3/25/2006 8:26:43 AM
Changed: 7/26/2007 10:28:14 PM
DS version: 3(user) 113(machine)
Sysvol version: 3(user) 81(machine)
Other GPO's have replicated in the mean time and are not similarly
"stuck." I believe even though the PDC Emulator reports the correct
machine version (113 in both DS and Sysvol) of the GPO, the
disagreement is causing version 81 to stay effective. I have tried
changing the GPO and forcing a new replication without success. What
is the best way to update this other DC if FRS refuses to update it?
On the problem server, point TCP to your PDC emulator for DNS.
Flush\Register DNS
Open Active Directory Sites and Services
Find the problem Server
Under the problem Server-highlight NTDS Settings
On it's Automatic or Manual connection object Right click and tell it to
replicate now.
If this works, depending on the FRS errors that you have, restart the FRS
and DFS services, and see if GP will update through Replication.
If that still doesn't work, we'll look at the errors and see which is the
best way to proceed.
I checked the version of the gpt.ini in the problem DC, and it still
reported the old version.
On Jul 27, 6:28 am, Rob (Microsoft)
But frankly I don't think this is the cause of your account policy issues.
Did you check the value on the Domain NC head for maxpwdage?
Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Scripting Group Policy Settings with the GPExpert Scripting Toolkit for
PowerShell!
Find out more at http://www.sdmsoftware.com/products2.php
Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
"Bowulf" <bow...@gmail.com> wrote in message
news:1185549634.3...@i13g2000prf.googlegroups.com...
I re-ran RSOP for the password policy on the PDC-E, and it still
showing the old values for the Default Domain Policy. If I run RSOP
on the problem controller in the same site, it reports no GPO as being
defined. I checked two other domain controllers, and they reported no
GPO as being defined. I ran RSOP against a member server and a
workstation, and it shows the correct values for the Default Domain
Policy. I checked again for any Block Inheritance on the Domain
Controllers OU, and there was none. It still appears as if there GPO
weirdness happening with the PDC-Emulator.
Thank you for your help.
Kent
I have stopped the AV scanning the Sysvol container. Clients were
consistently connected to the gpt.ini. Is there a negative to
InstallOverride frsflag for a Sysvol container?
On Jul 27, 10:58 am, "Darren Mar-Elia" <dmanonym...@microsoft.com>
wrote:
> You don't have anti-virus running against these SYSVOL folders on your DCs,
> do you? Also, check out this article :http://support.microsoft.com/kb/822300/en-us
>
> But frankly I don't think this is the cause of your account policy issues.
> Did you check the value on the Domain NC head for maxpwdage?
>
> Darren
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Server--Group Policy
>
> Scripting Group Policy Settings with the GPExpert Scripting Toolkit for
> PowerShell!
> Find out more athttp://www.sdmsoftware.com/products2.php
>
> Visit the GPOGUY:http://www.gpoguy.com-- The Windows Group Policy
Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Scripting Group Policy Settings with the GPExpert Scripting Toolkit for
PowerShell!
Find out more at http://www.sdmsoftware.com/products2.php
Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
"Bowulf" <bow...@gmail.com> wrote in message
news:1185552905.9...@j4g2000prf.googlegroups.com...
Thanks for your help.
On Jul 27, 11:27 am, "Darren Mar-Elia" <dmanonym...@microsoft.com>
wrote: