Please help GPO's - MVP's

[Guest]

Network is Win2000 advanced servers.

I have a domain with 12 servers. I configured the security section of
default domain security policy but these setting are not showing on the
member servers when I look at the local policy and look at the effective
settings.
I have even configured local policies using 'security and configurayion
analysis' and defined Password policies, account policies, user rights and
assignments and security options..All these are fine and work except the
security options which still show default settings.
Anyone know why my configured security options are not showing.? Also
I have configured the warning message on the default domain policy to
display a warning message. This is displayed OK on the domain controllers but
do not display on the members servers...anyone know why..?

Please help

 

[Herb Martin]

Network is Win2000 advanced servers.

I have a domain with 12 servers. I configured the security section of
default domain security policy but these setting are not showing on the
member servers when I look at the local policy and look at the effective
settings.

First it is generally a bad idea to modify the default domain
poilicy (at least inititally) but rather it is preferred to add an
additional policy so that you may distinguish your own changes
from the MS provided defaults -- and differentially disable them
if that ever becomes necessary.

I have even configured local policies using 'security and configurayion
analysis' and defined Password policies, account policies, user rights and
assignments and security options..All these are fine and work except the
security options which still show default settings.

Local policies for "Security Account Policies" (including Password)
are only going to affect Local Account logon (not domain accounts.

Domain "Security Account Policies" can only be effectively Linked
at the DOMAIN level but you seem to have done that by chaning the
Default Domain Policy.

Anyone know why my configured security options are not showing.? Also

Several possibilities are obvious for your first checks:

1) The GPO was edited didn't replicate to the other (authenticating) DCs
2) The machines are not members of the domain
3) The machines are members but not authenticating properly or failing
to retrieve the GPO from the DC.
4) It isn't really domain linked (e.g., using Def. DC policy by mistake)
5) A later policy (on the domain in this case) is overriding
6) Permission problems -- user/computer must have Read & Apply_Policy

#5 and #6 are unlikely to happen by accident but are included for
completeness. #1 and #3 are usually DNS problems. #2 is trivial
to check as is #4.

I have configured the warning message on the default domain policy to
display a warning message. This is displayed OK on the domain controllers but
do not display on the members servers...anyone know why..?

Perhaps you used the "Default Domain CONTROLLER policy" for
these?

Since it appears to be affecting the DCs but not the domain wide
machine and user logons...this seems a strong possibility and is
quick to (double) check.

You might also run DCDiag to confirm you DC/DNS setup and
ensure replication.