Group Policy not updating on Domain Controller

A

Adam

Group Policy suddenly stopped updating on my Windows 2000
Domain Controller. Group Policy still updates successfully
on my Windows XP workstations.

I discovered this problem when I tried to change the
minimum password length in Group Policy. The Application
Log did not show the usual EventID 1704 with source SceCli,
either periodically or when "secedit /refreshpolicy
machine_policy" is run.

I have found no indication of problems in the Event Log
around the time it stopped updating. Restarting the server
does not remedy this problem. I have checked Google, Google
Groups, and Microsoft's KB to no avail.

Any suggestions are greatly appreciated.
 
S

Steven L Umbach

Password/account policy for domain accounts can only be changed at the
domain level, so make sure you are changing the setting at the domain level
and if there is more than one GPO at the domain level configure the setting
at the top GPO in the list. Also make sure that when you change
password/account policies that you do not have "block inheritance"
configured on the domain controller container. You can run gpedit on your
domain controller to see when the last time machine policy was applied and
from where. Netdiag and dcdiag can also be very helpful on a domain
controller when you are experiencing problems. Those tools are located on
the install cd in the support/tools folder where you will have to run setup
there to install them. --- Steve
 
A

Adam

Password/account policy for domain accounts can only be
changed at the domain level, so make sure you are
changing the setting at the domain level
Click to expand...

Yes, I am.
if there is more than one GPO at the domain level
configure the setting at the top GPO in the list.
Click to expand...

There's just the Default Domain Policy.
Also make sure that when you change password/account
policies that you do not have "block inheritance"
configured on the domain controller container.
Click to expand...

Block inheritence is not set.
You can run gpedit on your domain controller to see when
the last time machine policy was applied and from where.
Click to expand...

For me, gpedit only brings up the Local Group Policy tool.
The problem is with domain policies, not local policies.

Unless there's some switch to gpedit that I'm missing.
Netdiag and dcdiag can also be very helpful on a domain
controller when you are experiencing problems.
Click to expand...

Thanks for the tips - I'll have to see if I can dig up the
Win2k Server CD and try out these tools.

Adam
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Group Policy not updating on Win2K Pro desktop 1
Domain Controller GPO 4
Group Policy Update 7
Manual Update Group Policy on Windows 2000 Server 3
Domain policy on maximum password age not getting applied 2
Applying Group Policy 1
Group Policy Not Being Applied?? 11
HELP - can't disable psswd policy on domain 1

Top