DC GPO - password policies not enforced

J

Jeremy Sun

In the Domain DC GPO, I have changed some files system security and suddenly
the password policies failed.

The password policies settings are still in the GPO file. I can read the
settings from the AD users and Computers. However when I log onto a DC and
check the local security settings, it says "not defined" for the password
policies. All other policies are in effect and there is no error in the
event log.

When I look into the winlogon.log, all errors I can find is the

error 0 to send control flag 1 over to server
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND

and a file fail file system security items which is quite normal.

Any idea?

Any solution?

Thanks in advance.
 
B

Brian Desmond [MVP]

Is the password policy defined in the default domain policy? If not, it must
be defined there.

What did you change that prompted this?

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com
 
J

Jeremy Sun

Brian Desmond said:
Is the password policy defined in the default domain policy? If not, it must
be defined there.
Click to expand...

It was defined. It is defined. In fact, most if not all items in the default
domain controller policy - machine are defined.

All policies including security, auditing, file system, registry, etc
reflect on the domain controller on the next update.

When I start the "local security setting" on one of the DCs it said those
settings are effective.

however password policy is marked "NOT defined" on the local although they
are defined in the policy.

In fact, not even the local policy on the DC is effective.

So I have something like this:

Local defined password age: 42 days
Policy defined password age: 90 days
Effective password age: not defined.
What did you change that prompted this?
Click to expand...

1) I have added a new DC to the domain
2) The DC did no take in the DC policies so I went though the DC policies
3) I removed some dupicated entries in the file system section
4) I removed all "Everyone" security right from the remain entries in the
file system section
5) I removed all "Server Operator" security right from the remain entries in
the file system section
6) The new DC is still not working, so I debug the winlogon and found that
it missed the %sysvol% variable
7) The new DC is finally taking in the DC policies, I found that the
password policies are not working
8) I found that the password policies are not working on other DCs as well
9) I am very sure that the password policies was working the week before
because I made some small adjustment
 
J

Jeremy Sun

Then what are those settings that said "local security settings" on the
Domain Controllers?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

DC GPO - password policy not enforced 6
Password policy not enforced 1
GPO Error after migration from 2000sp4 to 2003 3
Error 1202 every 5 mins 1
Can't disable password policy on DC 5
Default Domain policy does not work unless Enforced 1
2003 Domain Password Policy on NT 4.0 Workstation 1
GPO Password Policy is applied but not working 4

Top