Group Policy

G

Guest

I have been trying to set up the Password Policy for a few days now, but I
just can’t get it to work. I’ll just explain what I’m doing and maybe someone
can give me some pointers.

When I right click on our Domain in AD Users and Computers, Click Properties
and then select the Group Policy tab, I only have Default Domain Policy.

First of all, should I be able to change settings in this Policy, like when
I edit it, go into Computer Configuration, Windows Setting, Security
Settings. Should I find the Account Policies – Password Policy in there or is
the Default Domain Policy not for these types of things. I can also not
expand the Administrative Templates. I am thinking that b/c this is a Default
Policy, I am not able to change it. Or could it be that I do not have the
permissions to change it.

Secondly, in the Group Policy tab, I click New and create a new Policy
called Password Policy. I edit it and go to Computer Configuration, Windows
Settings, Security Settings, Account Policies and in Password Policy I change
all the Setting to what I want. When I go to a test user created in the Users
OU, I set the Account to change Password at next logon. However, when I log
in as this User, I can change the Password to 123 or anything else. I also
try and change the Password for a user I created in a OU I created manually
but still no Policy enforcement.

This whole thing is driving me crazy. If anyone could just help me and tell
me where to set this Password Policy, and in what way.

Any help would be much Appreciated.

Thanks
 
J

J.M.N

You should be able to modify Default domain policy...
And you should be able to find things described in that polic
(security, admin templates etc.)

I have read about tool Dcgpofix.exe that restores Default Domain polic
back to it's original state, maybe that could help you. I have neve
personally tested it, so better try it in your test environment befor
applying it into your "real" domain.

And about your password policy, have you looked "security" -tab? Ther
should be "read" and "apply group policy" rights for grou
"authenticated users"

Hope this helps.
J.M.


-
J.M.
 
J

J.M.N

You should be able to modify Default domain policy...
And you should be able to find things described in that polic
(security, admin templates etc.)

I have read about tool Dcgpofix.exe that restores Default Domain polic
back to it's original state, maybe that could help you. I have neve
personally tested it, so better try it in your test environment befor
applying it into your "real" domain.

And about your password policy, have you looked "security" -tab? Ther
should be "read" and "apply group policy" rights for grou
"authenticated users"

Hope this helps.
J.M.


-
J.M.
 
M

Mohammed A. Raslan

You where in the right place, its in the "Default Domain Policy" > "Computer
Configuration" > "Windows Settings" > "Security Settings" > "Account
Policies" > "Password Policies"
You should be able to change it if you are using the administrator account.

You can change the password settings in the "Default Domain Policy" or even
create a new GPO, however, note that if you create a new one, it must be
linked to the domain (not to OUs or any other type of containers), and it
must be on the top of the list of the GPO's linked to the domain (there as
special cases but it's better that way).

Another thing is that you must refresh the computer policy on all clients
for the policy to take effect, you can either restart all machines in the
domain or wait for about 90mins or run "Secedit /refreshpolicy
machine_policy /enforce" from Windows2000 machines and "gpupdate
/target:computer /force" from Windows XP and Windows 2003 servers

--
Yours truly,
Mohammed A. Raslan
Systems Engineer / Consultant
MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
Mobile: +20 (12) 36 26 112 / +965 978 1969
E-Mail: (e-mail address removed)
 
G

Guest

Hey Mohammed

Thanks for the feedback.

I logged on to the DC as the Domain Administrator and when I go to AD Users
And Computers, Domain Properties, Group Policy, Default Domain Policy,
Computer Configuration, Windows Setting, Security Settings, I only have
Public Key Policies and IP Security Policies on AD. There is no Account
Policies, Local Policies etc.

You said, if I create a new GPO I should link it to the Domain. How do I do
this, I thought if it is created in the same place as the Deafault Domain
Policy it should go out to the whole Domain.

I also did wait for more than 90 minutes but nothing happened.

If I go to the Default Domain Policy Properties, under Security I have my
name with Full Control. Under Links, if I click Find Now, it only shows my
Domain.
 
M

Mohammed A. Raslan

I guess you have a corrputed Default Domain Policy files. What is your
domain? Windows 2000 or Windows 2003?, and how many DC do you have?

i suggest that you first create a system state backup (just in case), then
delete your Default Domain Policy. when you try to delete it you will be
asked to remove the link or delete it entirely, well it's better to only
remove the link at this point, then if there is no other GPO's on the
domain, create a new one but name it anything other than "Default Domain
Policy" for example "My Default Policy" and set the password options you
want in it.

After that try to run from the domain controller itself the command "secedit
/refreshpolicy machine_policy /enforce" if its a Windows2000 DC, or
"gpupdate
/force" if its a Windows2003 DC. if you have multiple DC's then first wait
for
about 10 mins then issue that command on them all. If you can restart
the DC, it would be better and you will not need to run these commands

After that open AD Users & Computers and create a test account and try
playing with its password length and reset it to wrong and right values and
see if it working.

i'm sorry about the 90 min thing, it was related to something else, its how
long
client computers refresh thier policy from the domain, its not related to
your problem, yours is with the domain controller not the clients

When you open the domain properties and click on the new button to create a
GPO, you usualy create and link a GPO to the domain at the same time,
however in some situations you can or might want to create a GPO without
linking it to the domain. so its there but with no effect.

Try it and tell me, Hope this will work
Yours truly,
Mohammed A. Raslan
Systems Engineer / Consultant
MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
Mobile: +20 (12) 36 26 112 / +965 978 1969
E-Mail: (e-mail address removed)
 
G

Guest

It turned out my Default Domain Policy was corrupt. I used recreateDefPol.exe
(Windows 2000 Server only, same as dcgpofix.exe) to repair it and now it
works fine. Thanks for all the help, I really appreciate it.
 
G

Guest

The recreateDefPol.exe file work perfectly. Just extracted it to a folder on
the DC and ran the file. Had to log out and back in for it to take effect and
fixed everthing. Did not have a test domain but now you can know it works OK.
Thanks for the help.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top