Account Policies do not appear to apply

[Biff]

I have a domain consisting of about 150 workstations with an active
dirctory structure that includes both a win2k server and a win2003
server. I recently started applying group policies. To make the changes
I have been going to my Active Directory user and computers tool and
right clicking on the domain. I then go to the group policy tab and
edit the "default domain policy".

Machine/computer policies such as logon message and logon title appear
to work fine and User configuration changes for I.E. appear to apply
as well. However, machine policies such as password length, password
max age, and account revocation do not seem to work. I say they are not
applying because I have done things such as making invalid logon
attempts and forcing a password change and I have not been challenged
by any policy.

My goal is to control user password changes and user access to the
domain with a policy. However, it dawned on me last evening that what I
might actually be doing with my policy is setting those controls for
each of my 150 local machines rather than at the domain level. Could
that be the case? Am I looking at the use of these policies
incorrectly? Any advice would be greatly appreciated.

I apologize if I rambled, this is my first post.

 

[Biff]

Additional information. I downloaded GPMC to my 2003 server. It shows
me that my policy is being applied to a test winxp pro workstation. I
have verified that my password length, history and account lockout are
indeed working for the local accounts, but it is clearly not being
applied to domain accounts. Again, I am stumped.

 

[Guest]

In AD Users and Computers, Right Click your Domain Name, Click Properties,
click the Group Policy Tab, Highlight the "Default Domain Policy" then click
the edit button.
Go To > Computer Configuration>Windows Settings>Security Settings>Account
Policies>Password Policy. In the right pane you'll have 6 choices. Make sure
you understand what each one does and what you are setting. Once those are
set it will effect the password policy for your entire domain.

Note: Although you can set this same policy at the OU level Password
Policies are only effective at the domain level. Local, UO or Site Policies
will not change the Default Domain Policy when it comes to password policies.

Hope that helps.

 

[Biff]

Michael,
Thanks for the reply
I verified and followed your steps with the following exception. The
only GPO I can find and access on my system with the word "domain" in
it is "default domain NEW policy". I cannot locate any gpo called
"default domain policy". Is the "default domain policy" treated
differently when processed?

Biff

 

[lforbes]

Michael,
Thanks for the reply
I verified and followed your steps with the following
exception. The
only GPO I can find and access on my system with the word
"domain" in
it is "default domain NEW policy". I cannot locate any gpo
called
"default domain policy". Is the "default domain policy"
treated
differently when processed?

Biff

Hi,

It sounds like someone may have deleted your Default Domain Policy? Is
this the case? If it is then that is a Big No No. The Default Domain
Policy and the Default Domain Controllers Policy have unique GUIDS
that identify them. In fact the GUID’s are identical on each
installation of Windows 2000 Domain.

The Default Domain Policy and the Default Domain Controllers Policy
are identified by these GUIDs. They contain a lot of necessary default
settings that are required by the domain.

The Default Domain Policy GUID (located in
C:\windows\sysvol\sysvol\domain.name\policies) is
{31B2F340-016D-11D2-945F-00C04FB984F9}

The Default Domain Controllers GUID is
{6AC1786C-016F-11D2-945F-00C04fB984F9}

Check and see if these GUID’s exist on your DC in your
C:\windows\sysvol\sysvol\domain.name\policies folder. If not
then you may have to recreate them by installing a separate new W2k/03
Domain and copying the folders over.

If the Do exist Right Click the Domain - Go to Group Policy tab and
click "add". Click the "All" tab and see if the Default Domain
Policy is there.

Good Luck

Cheers,

Lara

 

[Guest]

I'm in total agreement with Lara. Yes it is handeled differently. As
mentioned in my privious post the only policy that is alowed to control
Passwords is the Default Domain Policy. Even though you find the settings in
any policy they are only applied to teh entire domain. If it's been deleted
and replaced by someone you need to find a way to recreate it properly. Not
sure how to do that but I'm sure MS has a fix for that, i doubt your the only
one.

Hope that helps.

 

[Biff]

My thanks to both you and lara for replying.

I believe we are all on track with this. Now the difficult task is
figuring out how to fix it!
I have found a program from microsoft called dcgpofix. It is supposed
to restore both the "default domain policy" and
the default "domain controllers policy" to their clean install state.
however, I'm a little squeemish about using it without a little more
research even though It should not effect my current policies.

Thanks again!
Biff

 

[lforbes]

Hi,

I actually had to restore all my SYSVOL when a drive got corrupted and
then replicated. I lost all my SYSVOL GUID Policy Folders. Basically
what I did was got a copy of the actual GUID folders from another
Domain and put it back into my SYSVOL. The trick was creating the name
in Group Policy to match the GUID and then going through the Local
Security Policies - User Rights Assignment in the Domain Controllers
to make sure the accounts were correct.

Have you checked to see if the GUID folders still exist?

I found this info on the tool.