Complex password in Domain GPO not applying anywhere.
Loopz
Best get a drink for this one! lol.
We have just found out that the Password must meet complexity
requirements isn�t working on the domain policy. After a lot of
investigation we confirmed that the SID is registered as the original
domain policy (it�s been renamed), that any changes in the USER section
is being implemented and other changes in the COMPUTER section also
works. btw...The domain policy is being linked at the domain level.
Any changes to Account Policies / Password Policy are not being
implemented. Enforce password history, maximum password age, minimum
password age, minimum password length and Password must meet complexity
requirements can all be changed but it doesn�t reflect on the users
machine. I receive old value requirements if I manually try and change
the password to 2 characters (for example) on the machine. Ie: password
must be 6 characters etc�instead of 8 to what ive changed it to.
Running GPO RSOP indicates that in the COMPUTER section, under
Components Status, there is a failure in security. Error states
�Security has requested to process its policy settings again.� Checked
the Policy events and there is an error Event Id : 1202 �security
policies were propagated with warning 0x5: Access is denied�. I�m just
wondering if this is actually more referring to the driver signature
part and nothing to do with the password attribs.
This is a single forest, single domain running in mixed mode 2000 with
3 Domain Controllers all running windows 2003. We used to be 2 DC�s
running 2000 and 1 running 2003. All the roles etc were running on the
2000 DC�s and they were decommissioned (roles transferred) to the new
2003 DC servers. This happened a few months back and I�m not sure if
this would have played a part.
Gpresult on the machine (or machines) indicates it�s being applied,
although we know that because other settings are being changed and being
reflected as tests. Double checked other things like dcdiag / replmon
just to check all looks well there and it does. I�m really stuck and
there could be something stupid I haven�t considered. Any help would be
grateful. If you need any information then let me know. Here is the
winlogon.log
Winlogon.log
Make a local copy of
\\DOMAIN\sysvol\DOMAIN\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
-------------------------------------------
05 November 2009 16:52:29
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.do m.
Copy undo values to the merged policy.
----Configuration engine was initialized successfully.----
----Reading Configuration Template info...
----Configure Security Policy...
Start processing undo values for 6 settings.
There is already an undo value for group policy setting
<MinimumPasswordLength>.
There is already an undo value for group policy setting
<PasswordHistorySize>.
There is already an undo value for group policy setting
<MaximumPasswordAge>.
There is already an undo value for group policy setting
<MinimumPasswordAge>.
There is already an undo value for group policy setting
<PasswordComplexity>.
There is already an undo value for group policy setting
<RequireLogonToChangePassword>.
Configure password information.
Start processing undo values for 3 settings.
There is already an undo value for group policy setting
<LockoutBadCount>.
There is already an undo value for group policy setting
<ResetLockoutCount>.
There is already an undo value for group policy setting
<LockoutDuration>.
System Access configuration was completed successfully.
There is already an undo value for group policy setting
<MaximumLogSize>.
There is already an undo value for group policy setting
<AuditLogRetentionPeriod>.
There is already an undo value for group policy setting
<RestrictGuestAccess>.
There is already an undo value for group policy setting
<MaximumLogSize>.
There is already an undo value for group policy setting
<AuditLogRetentionPeriod>.
There is already an undo value for group policy setting
<RestrictGuestAccess>.
There is already an undo value for group policy setting
<MaximumLogSize>.
There is already an undo value for group policy setting
<AuditLogRetentionPeriod>.
There is already an undo value for group policy setting
<RestrictGuestAccess>.
Configure log settings.
Start processing undo values for 4 settings.
There is already an undo value for group policy setting
<AuditSystemEvents>.
There is already an undo value for group policy setting
<AuditLogonEvents>.
There is already an undo value for group policy setting
<AuditPolicyChange>.
There is already an undo value for group policy setting
<AuditAccountLogon>.
Audit/Log configuration was completed successfully.
Configure machine\software\microsoft\driver signing\policy.
Warning 5: Access is denied.
Error configuring machine\software\microsoft\driver signing.
Configure machine\software\microsoft\non-driver signing\policy.
There is already an undo value for group policy setting
<machine\software\microsoft\non-driver signing\policy>.
Configure machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning.
There is already an undo value for group policy setting
<machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning>.
Configure machine\software\microsoft\windows\currentversion\
policies\system\disablecad.
There is already an undo value for group policy setting
<machine\software\microsoft\windows\currentversion
\policies\system\disablecad>.
Configure machine\software\microsoft\windows\currentversion\
policies\system\dontdisplaylastusername.
There is already an undo value for group policy setting
<machine\software\microsoft\windows\currentversion
\policies\system\dontdisplaylastusername>.
Configure machine\software\microsoft\windows\currentversion\
policies\system\shutdownwithoutlogon.
There is already an undo value for group policy setting
<machine\software\microsoft\windows\currentversion
\policies\system\shutdownwithoutlogon>.
Configure machine\system\currentcontrolset\control\print\pro
viders\lanman print services\servers\addprinterdrivers.
There is already an undo value for group policy setting
<machine\system\currentcontrolset\control\print\pr oviders\lanman print
services\servers\addprinterdrivers>.
Configure machine\system\currentcontrolset\control\session
manager\memory management\clearpagefileatshutdown.
There is already an undo value for group policy setting
<machine\system\currentcontrolset\control\sessio n manager\memory
management\clearpagefileatshutdown>.
Configuration of Registry Values was completed with one or more
errors.
----Configure available attachment engines...
Configuration of attachment engines was completed successfully.
----Un-initialize configuration engine...
this is the last GPO.
--
Loopz
------------------------------------------------------------------------
Loopz's Profile: http://forums.techarena.in/members/152724.htm
View this thread: http://forums.techarena.in/active-directory/1268360.htm
Ace Fekay [MCT]
"Loopz" <Loopz....@DoNotSpam.com> wrote in message
news:Loopz....@DoNotSpam.com...
>
> --
> Loopz
> ------------------------------------------------------------------------
Basically for a password policy to work, the domain needs to be in at least
Native mode. For more info, please read the following.
Event ID 1000 and event ID 1202 are logged to the event log every five
minutes in Windows 2000 Server
http://support.microsoft.com/kb/319352
If it still doesn't work after changing it to Native mode, then it appears
there may have been a security policy placed (either through Security and
Analysis, or a template was imported to the domain policy), or some other
method was used to alter or create policies. Read the following, if this is
the case.
Group Policy Is Not Applied and You Receive No Error Message
http://support.microsoft.com/kb/310741
Read the following for more possibilities if the above are not helpful.
http://eventid.net/display.asp?eventid=1202&eventno=348&source=SceCli&phase=1
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Loopz
Ace - i appreciate your time to answer my query. I just wanted to check
with you one thing though. We have just server 2003 DC's now...there are
no 2000 DC's anymore. Do you think the password part of the issue is
related to the domain mode we are in? I dont recall reading any
documentation or white papers to say that Passord policys wont work
unless we are above Mixed mode - is it online?. Very annoying if that is
the reason why it is not working.
I know i can right off this issue
http://support.microsoft.com/kb/310741 as i had already opened up
Gptxxxxx.inf or/and Gptxxxxx.dom on one machine to confirm the settings
are being replicated there.
Again, thanks for your reply on this.
Meinolf Weber [MVP-DS]
As you can see the issues as described in the articles posted from Ace in
your domain, i would follow the steps as described to resolve them.
Also if you don't have any earlier OS DC you shold also raise, AFTER change
to mixed mode and checking that all errors or gone, the next level to Windows
server 2003 levels
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Ace - i appreciate your time to answer my query. I just wanted to
> check with you one thing though. We have just server 2003 DC's
> now...there are no 2000 DC's anymore. Do you think the password part
> of the issue is related to the domain mode we are in? I dont recall
> reading any documentation or white papers to say that Passord policys
> wont work unless we are above Mixed mode - is it online?. Very
> annoying if that is the reason why it is not working.
>
> I know i can right off this issue
> http://support.microsoft.com/kb/310741 as i had already opened up
> Gptxxxxx.inf or/and Gptxxxxx.dom on one machine to confirm the
> settings are being replicated there.
>
> Again, thanks for your reply on this.
>
Ace Fekay [MCT]
"Loopz" <Loopz....@DoNotSpam.com> wrote in message
news:Loopz....@DoNotSpam.com...
>
> with you one thing though. We have just server 2003 DC's now...there are
> no 2000 DC's anymore. Do you think the password part of the issue is
> related to the domain mode we are in?
Absolutely. Read Meinolf's response. If you no longer have any NT4 BDCs,
raise the levels.
> I dont recall reading any
> documentation or white papers to say that Passord policys wont work
> unless we are above Mixed mode - is it online?. Very annoying if that is
> the reason why it is not working.
The articles I posted are online and indicate this. It is indicated in one
of the AD design or migration cookbooks. I would have to dig it up, but the
tech article I posted should be taken as authentic from Microsoft indicating
this is the problem.
>
> I know i can right off this issue
> http://support.microsoft.com/kb/310741 as i had already opened up
> Gptxxxxx.inf or/and Gptxxxxx.dom on one machine to confirm the settings
> are being replicated there.
>
> Again, thanks for your reply on this.
You are welcome.
Ace
Loopz
Appreciate your responses. I'm always looking to swat up on white papers
that are appropiate and they always help me push downtime by using
documentation of known problems. So thanks for responding to that
question.
Bad news though. We are now in Native mode and we still cant apply
password security settings. The GPTxxxxx.dom has the settings on one of
the test machines i am using so i know they are being copied to the
machine...just not applied.
I could work to take the mode to w2k3 but i have doubts this will make
a difference.
One of the links sounds very legit but in order to find out what
document M284461 i will need to subscribe! Here is the
explanation...anyone have any idea what M284461 states please?
Error code 0x5 (decimal 5) - Access is denied. This issue occurs
because of the locked-down security that was originally set on the FRS
through Group Policy. When you attempt to configure the FRS through
Group Policy, the policy engine no longer has the permission to set
security on the FRS and does not attempt to take ownership of the FRS.
See M284461 for resolution.
Ace Fekay [MCT]
news:Loopz....@DoNotSpam.com...
>
> that are appropiate and they always help me push downtime by using
> documentation of known problems. So thanks for responding to that
> question.
>
> Bad news though. We are now in Native mode and we still cant apply
> password security settings. The GPTxxxxx.dom has the settings on one of
> the test machines i am using so i know they are being copied to the
> machine...just not applied.
>
> I could work to take the mode to w2k3 but i have doubts this will make
> a difference.
>
> One of the links sounds very legit but in order to find out what
> document M284461 i will need to subscribe! Here is the
> explanation...anyone have any idea what M284461 states please?
>
> Error code 0x5 (decimal 5) - Access is denied. This issue occurs
> because of the locked-down security that was originally set on the FRS
> through Group Policy. When you attempt to configure the FRS through
> Group Policy, the policy engine no longer has the permission to set
> security on the FRS and does not attempt to take ownership of the FRS.
> See M284461 for resolution.
>
>
> --
> Loopz
> ------------------------------------------------------------------------
Actually you don't have to subscribe. Just like Techarena, you don't have to
subscribe.
For the M numbers in eventid.net, they are simply pointers to Microsoft KB
articles. Remove the M, and place the number as such in teh following link
to get the KB:
Event ID1000 and Event ID 1202 Messages Are Reported When You Set Security
on the File Replication Service by Using Group Policy
http://support.microsoft.com/kb/284461
As for techarena, they pull and push posts the free Microsoft public
newsgroups. This newsgroup is actually called
"microsoft.public.windows.server.active_directory." You can use Windows Mail
or Outlook Express, configure a News account, point it to
news.microsoft.com, go through the 2200 newsgroups and pick
microsoft.public.windows.server.active_directory (in alphabetical order),
and away you go! Lots more features than techarena, and you can remain
anonymous.
Ace
Loopz
thanks Ace. thats usefull to know.
Alas that link is geared towards 2000 and not resolving my issues.
It's quite weird that i no longer have no access error messages on any
new machines i test but again no password policy is applying.
should i recreate/restore the domain policy and start a fresh?
Ace Fekay [MCT]
news:Loopz....@DoNotSpam.com...
>
>
> Alas that link is geared towards 2000 and not resolving my issues.
> It's quite weird that i no longer have no access error messages on any
> new machines i test but again no password policy is applying.
>
> should i recreate/restore the domain policy and start a fresh?
>
>
> --
> Loopz
> ------------------------------------------------------------------------
Just to make sure DNS configuration and other factors are correct, please
post an ipconfig /all from one of the DCs and one of the client machines.
Ace
Loopz
weird i never wrote
JUST TO MAKE SURE DNS CONFIGURATION AND OTHER FACTORS ARE CORRECT,
PLEASE
POST AN IPCONFIG /ALL FROM ONE OF THE DCS AND ONE OF THE CLIENT
MACHINES
i'm guessing the forum messed up there and this is a reply from
someone. so here is the information below:
Windows IP Configuration - Domain Controller
Host Name . . . . . . . . . . . . : SERVER
Primary Dns Suffix . . . . . . . : xxxx.xxxx.xxxx
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xxxx.xxxx.xxxx
xxxx.xxxx
Ethernet adapter Redditch Static:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II
GigE (NDIS VBD Client)
Physical Address. . . . . . . . . : 00-22-19-92-82-E5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.100.2.223
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.100.2.1
DNS Servers . . . . . . . . . . . : 10.100.2.223
10.100.2.247
Windows IP Configuration - Client
Host Name . . . . . . . . . . . . : Client
Primary Dns Suffix . . . . . . . : xxxx.xxxx.xxxx
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xxxx.xxxx.xxxx
xxxx.xxxx.xxxx
xxxxx.xxxxx
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : xxxx.xxxx.xxxx
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
Gigabit Controller
Physical Address. . . . . . . . . : 00-1C-23-4F-30-B1
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.100.4.234
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.100.4.1
DHCP Server . . . . . . . . . . . : 10.100.2.247
DNS Servers . . . . . . . . . . . : 10.100.2.223
10.100.2.247
Lease Obtained. . . . . . . . . . : 11 November 2009 08:27:04
Lease Expires . . . . . . . . . . : 12 November 2009 08:27:04
Ethernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/Wireless
3945ABG Network Connection
Physical Address. . . . . . . . . : 00-1F-3C-59-74-B5
What do you think about recreating the domain policy from fresh?
Ace Fekay [MCT]
news:Loopz....@DoNotSpam.com...
>
The ipconfigs look fine, as long as the Primary DNS Suffix matches the
domain name and the zone name in DNS. Thanks for posting them.
Yes, at this point, it may be prudent to do that. Make sure you have a
system state backup before proceding. Do you have the links to show you how
to recreaet the GPO?
Here are some links that may also be helpful to troubleshoot GPOs.
Fixing Group Policy problems by using log files
http://technet.microsoft.com/en-us/library/cc775423.aspx
Enable Logging for Group Policy Object Editor Client Side Extensions
http://technet.microsoft.com/en-us/library/cc759167.aspx
Troubleshooting Group Policy application problems
http://support.microsoft.com/kb/250842
Enable Verbose Global Policy Logging
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/Miscellaneous/EnableVerboseGlobalPolicyLogging.html
JSI Tip 3100. How do enable Group Policy debug logging on a Windows 2000
Server?
http://windowsitpro.com/article/articleid/74419/jsi-tip-3100-how-do-enable-group-policy-debug-logging-on-a-windows-2000-server.html
Logging User logon event.
If you want to keep track the user logon and logoff event to the domain,
http://msmvps.com/blogs/richardwu/archive/2007/05/29/logging-user-logon-event.aspx
Ace