Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Unable to edit GPO

400 views
Skip to first unread message

TaylorGaffney

unread,
Feb 27, 2009, 3:07:37 PM2/27/09
to
I am trying to set a password policy on an OU that will override the
domain level policy. I have set up an OU with a linked GPO and when I
attempt to edit the GPO I get this error message:

Pop-Up: Security Template
Message: Windows cannot update the policies

I have been at this for hours trying to figure out why this is being
such a pain the arse.

I also, tried to edit the default domain policy and receive the same
message. Any help would be great because I am not a GP wizard by any
means.

Thanks in advance...

Florian Frommherz [MVP]

unread,
Feb 28, 2009, 5:59:00 AM2/28/09
to
Howdie!

TaylorGaffney wrote:
> I am trying to set a password policy on an OU that will override the
> domain level policy. I have set up an OU with a linked GPO and when I
> attempt to edit the GPO I get this error message:
>
> Pop-Up: Security Template
> Message: Windows cannot update the policies

Check the permissions on the SYSVOL folder and the policy folder in
"Policies" (named with the GUID of the policy you created).

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Bruce Sanderson

unread,
Feb 28, 2009, 3:11:29 PM2/28/09
to
Be aware that, prior to Windows Server 2008, there can only be one Account
Policy (which includes the Password Policy) in a domain and this has to be
in the Default Domain Policy. In the GPMC Help, see Security Settings,
Concepts, Security Setting Descriptions, Account Policy

"For domain accounts, there can be only one account policy. The account
policy must be defined in the Default Domain policy, and it is enforced by
the domain controllers that make up the domain. A domain controller always
obtains the account policy from the Default Domain Policy Group Policy
object (GPO), even if there is a different account policy applied to the
organizational unit that contains the domain controller. By default,
workstations and servers that are joined to a domain (such as member
computers) will also receive the same account policy for their local
accounts. However, local account policies can be different from the domain
account policy, such as when you define an account policy specifically for
the local accounts."

For how to use the "Fine-Grained Password Policies" feature that is new to
Windows Server 2008, see
http://technet.microsoft.com/en-us/library/cc770394.aspx.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

"TaylorGaffney" <taylor....@gmail.com> wrote in message
news:4ec540f7-6927-4492...@c11g2000yqj.googlegroups.com...

0 new messages