DC GPO - password policy not enforced

Jeremy Sun · Aug 31, 2004

In the Domain DC GPO, I have changed some files system security and suddenly
the password policies failed.

The password policies settings are still in the GPO file. I can read the
settings from the AD users and Computers. However when I log onto a DC and
check the local security settings, it says "not defined" for the password
policies. All other policies are in effect and there is no error in the
event log.

When I look into the winlogon.log, all errors I can find is the

error 0 to send control flag 1 over to server
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND

and a file fail file system security items which is quite normal.

Any idea?

Any solution?

Thanks in advance.

----------------------------------------------------------------------------
--------

Is the password policy defined in the default domain policy? If not, it

must be defined there.

----------------------------------------------------------------------------
--------

It was defined. It is defined. In fact, most if not all items in the default
domain controller policy - machine are defined.

All policies including security, auditing, file system, registry, etc
reflect on the domain controller on the next update.

When I start the "local security setting" on one of the DCs it said those
settings are effective.

however password policy is marked "NOT defined" on the local although they
are defined in the policy.

In fact, not even the local policy on the DC is effective.

So I have something like this:

Local defined password age: 42 days
Policy defined password age: 90 days
Effective password age: not defined.

----------------------------------------------------------------------------
--------

What did you change that prompted this?

----------------------------------------------------------------------------
--------

1) I have added a new DC to the domain
2) The DC did no take in the DC policies so I went though the DC policies
3) I removed some dupicated entries in the file system section
4) I removed all "Everyone" security right from the remain entries in the
file system section
5) I removed all "Server Operator" security right from the remain entries in
the file system section
6) The new DC is still not working, so I debug the winlogon and found that
it missed the %sysvol% variable
7) The new DC is finally taking in the DC policies, I found that the
password policies are not working
8) I found that the password policies are not working on other DCs as well
9) I am very sure that the password policies was working the week before
because I made some small adjustment

Kevin Sullivan · Aug 31, 2004

Which GPO? the Domain GPO is where the password policy is enforced. Are you
setting it in the Domain Controller GPO?

Kevin

Jeremy Sun · Sep 1, 2004

Kevin Sullivan said:
Which GPO? the Domain GPO is where the password policy is enforced. Are you
setting it in the Domain Controller GPO?

Kevin

Yes.

As I have said, all other policies are enforced. Only those related to
password, are not.

Kevin Sullivan · Sep 1, 2004

If your saying "yes" to the Domain Controller GPO then this is your issue.
The password policy will only be processed from the Default Domain Policy.
Any password settings in other GPOs including the Default Domain Controller
Policy will be ignored.

Jeremy Sun · Sep 1, 2004

Kevin Sullivan said:
If your saying "yes" to the Domain Controller GPO then this is your issue.
The password policy will only be processed from the Default Domain Policy.
Any password settings in other GPOs including the Default Domain Controller
Policy will be ignored.

1) You are professional
2) I am an idiot
3) Thank you and thank you

Wish everybody a good day.

laser47 · Sep 14, 2004

I was having this same issue and have changed my policy to the defaul
domain policy, but had a couple of questions:

1. Is there some place that Microsoft describes this behavior? Is i
new? I could have sworn it worked in W2k SP2(ish)...
2. Are there other polices that will only be processed if they ar
applied to certian OUs or at the Site/Domain level?

Thanks in Advance!

Mark Hanson
Network Admin
Adams County Shcool District 50

*If your saying "yes" to the Domain Controller GPO then this is you
issue.
The password policy will only be processed from the Default Domai
Policy.
Any password settings in other GPOs including the Default Domai
Controller
Policy will be ignored.

-
laser4

Steven L Umbach · Sep 15, 2004

That has always been the case for domain users account polices can only be configured
at the domain level. If you configure it at the OU level it can however apply to
"local" user accounts on the domain computers in that OU. See the KB link below for
more details. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;255550

DC GPO - password policies not enforced	5	Aug 24, 2004
password local policy in domain	2	Aug 30, 2009
Password policy not enforced	1	Apr 9, 2008
Can't disable password policy on DC	5	Nov 12, 2003
Password Reset and Account Lockout Issues	6	May 4, 2009
Default Domain policy does not work unless Enforced	1	Jan 13, 2005
Local Security Policy and DCs	6	Dec 3, 2003
GPO Password Policy is applied but not working	4	Sep 14, 2006

DC GPO - password policy not enforced

Jeremy Sun

Kevin Sullivan

Jeremy Sun

Kevin Sullivan

Jeremy Sun

laser47

Steven L Umbach

Ask a Question

Similar Threads