I've a default domain controller group policy.
This is policy is applied to DC.
However, I found the account policies setting in windows settings in
computer configuration cannot update to the DC
after I change those settings in the default domain controller group policy.
I try to change the max. size of application log and then use command
"secedit /refreshpolicy machine_policy /enforce".
The changes on the application log is updated.
And I use gpresult and found the DC is now only applied this group policy
only on security settings.

The following are the details of the group policy and effective settings :

Default DC policy
Effective settings
Password Policy :
Enforce password history : 24
24
Max. password age: 70 days
70 days
Min. password age: 2 days
2 days
Min. password length : 8
8
Passwords must meet complexity : Enabled Enabled
Account Lockout Policy :
Account lockout duration : Not defined 0
Account lockout threshold: 0 invalid 3
invalid
Reset account lockout counter after Not defined 90 minutes
Kerberos Policy :
Enforce user logon restrictions : Not defined
Disabled
Max . lifetime for service ticket : Not defined
600 mins.
Max. lifetime for user ticket : Not defined
10 hours
Max. lifetime for user ticket : Not defined
7 days
Max. tolerance for computer clock synchronization : Not defined
5 mins.

I also try to change all settings in account lockout policy to some values,
not " not defined".
and then secedit to update the policy but still the effective settings not
change.

Please Help.

Jacky

You will need to change you password and any other security policy at the
Domain level not the Domain controller level. Security policy only applies
at the domain level.
"Jacky Ho" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I've a default domain controller group policy.
> This is policy is applied to DC.
> However, I found the account policies setting in windows settings in
> computer configuration cannot update to the DC
> after I change those settings in the default domain controller group
policy.
> I try to change the max. size of application log and then use command
> "secedit /refreshpolicy machine_policy /enforce".
> The changes on the application log is updated.
> And I use gpresult and found the DC is now only applied this group policy
> only on security settings.
>
> The following are the details of the group policy and effective settings :
>
> Default DC policy
> Effective settings
> Password Policy :
> Enforce password history : 24
> 24
> Max. password age: 70 days
> 70 days
> Min. password age: 2 days
> 2 days
> Min. password length : 8
> 8
> Passwords must meet complexity : Enabled Enabled
> Account Lockout Policy :
> Account lockout duration : Not defined 0
> Account lockout threshold: 0 invalid
3
> invalid
> Reset account lockout counter after Not defined 90
minutes
> Kerberos Policy :
> Enforce user logon restrictions : Not defined
> Disabled
> Max . lifetime for service ticket : Not defined
> 600 mins.
> Max. lifetime for user ticket : Not defined
> 10 hours
> Max. lifetime for user ticket : Not defined
> 7 days
> Max. tolerance for computer clock synchronization : Not defined
> 5 mins.
>
> I also try to change all settings in account lockout policy to some
values,
> not " not defined".
> and then secedit to update the policy but still the effective settings not
> change.
>
> Please Help.
>
> Jacky
>
>

Thanks !
I can update the account lockout policy now.
Any othe policies are also only apply when make changes to specific policy ?

Jacky

"Curtis Clay III [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You will need to change you password and any other security policy at the
> Domain level not the Domain controller level. Security policy only applies
> at the domain level.
> "Jacky Ho" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > I've a default domain controller group policy.
> > This is policy is applied to DC.
> > However, I found the account policies setting in windows settings in
> > computer configuration cannot update to the DC
> > after I change those settings in the default domain controller group
> policy.
> > I try to change the max. size of application log and then use command
> > "secedit /refreshpolicy machine_policy /enforce".
> > The changes on the application log is updated.
> > And I use gpresult and found the DC is now only applied this group
policy
> > only on security settings.
> >
> > The following are the details of the group policy and effective settings
:
> >
> > Default DC policy
> > Effective settings
> > Password Policy :
> > Enforce password history : 24
> > 24
> > Max. password age: 70 days
> > 70 days
> > Min. password age: 2 days
> > 2 days
> > Min. password length : 8
> > 8
> > Passwords must meet complexity : Enabled
Enabled
> > Account Lockout Policy :
> > Account lockout duration : Not defined
0
> > Account lockout threshold: 0 invalid
> 3
> > invalid
> > Reset account lockout counter after Not defined 90
> minutes
> > Kerberos Policy :
> > Enforce user logon restrictions : Not defined
> > Disabled
> > Max . lifetime for service ticket : Not defined
> > 600 mins.
> > Max. lifetime for user ticket : Not defined
> > 10 hours
> > Max. lifetime for user ticket : Not defined
> > 7 days
> > Max. tolerance for computer clock synchronization : Not defined
> > 5 mins.
> >
> > I also try to change all settings in account lockout policy to some
> values,
> > not " not defined".
> > and then secedit to update the policy but still the effective settings
not
> > change.
> >
> > Please Help.
> >
> > Jacky
> >
> >
>
>

Hi Jacky,

Specifically, only account policies apply at the domain level. By default
those are configured in the Default Domain Policy. All other policies should
be configurable from any container location.

--
Eric Burke [MSFT]
Microsoft Directory Services
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
"Jacky Ho" <(E-Mail Removed)> wrote in message
news:eF$(E-Mail Removed)...
> Thanks !
> I can update the account lockout policy now.
> Any othe policies are also only apply when make changes to specific policy
?
>
> Jacky
>
> "Curtis Clay III [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > You will need to change you password and any other security policy at
the
> > Domain level not the Domain controller level. Security policy only
applies
> > at the domain level.
> > "Jacky Ho" <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> > > I've a default domain controller group policy.
> > > This is policy is applied to DC.
> > > However, I found the account policies setting in windows settings in
> > > computer configuration cannot update to the DC
> > > after I change those settings in the default domain controller group
> > policy.
> > > I try to change the max. size of application log and then use command
> > > "secedit /refreshpolicy machine_policy /enforce".
> > > The changes on the application log is updated.
> > > And I use gpresult and found the DC is now only applied this group
> policy
> > > only on security settings.
> > >
> > > The following are the details of the group policy and effective
settings
> :
> > >
> > > Default DC policy
> > > Effective settings
> > > Password Policy :
> > > Enforce password history : 24
> > > 24
> > > Max. password age: 70 days
> > > 70 days
> > > Min. password age: 2 days
> > > 2 days
> > > Min. password length : 8
> > > 8
> > > Passwords must meet complexity : Enabled
> Enabled
> > > Account Lockout Policy :
> > > Account lockout duration : Not defined
> 0
> > > Account lockout threshold: 0 invalid
> > 3
> > > invalid
> > > Reset account lockout counter after Not defined 90
> > minutes
> > > Kerberos Policy :
> > > Enforce user logon restrictions : Not defined
> > > Disabled
> > > Max . lifetime for service ticket : Not defined
> > > 600 mins.
> > > Max. lifetime for user ticket : Not defined
> > > 10 hours
> > > Max. lifetime for user ticket : Not defined
> > > 7 days
> > > Max. tolerance for computer clock synchronization : Not defined
> > > 5 mins.
> > >
> > > I also try to change all settings in account lockout policy to some
> > values,
> > > not " not defined".
> > > and then secedit to update the policy but still the effective settings
> not
> > > change.
> > >
> > > Please Help.
> > >
> > > Jacky
> > >
> > >
> >
> >
>
>