password policy does not work on a terminal server

[arno schoblocher]

hello!

win2000 SP3 terminal server

first, i have to say that we have only one terminal server and one print
server, there's no extra domain-controller. it took a while and some group
policies to find out that i have a problem if terminal-server =
domain-controller, this may have caused the problem.

my problem is, that the password policies do not work at all, no matter what
i do.

what i have now are group policies on
- the domain (here i set the password policies)
- the domain-controller (i deactivated password policies in the mean time)
- the site (here's the main policiy to lock down the server, deaktivate
lot's of stuff of the desktop/startmenu etc.)

i have to have 2 policies for 2 user groups because the users should have a
lot of rights on their _PC_ but no rights on the _terminal server_. (if i
have only 1 policy then users cannot work properly on their pc!). so, every
user has 2 usernames, one to logon to the pc, one to logon on the terminal
server.

in detail:
- on the site i locked down the sessions with the terminal-server-usernames,
and i have a policy for the pc-usernames here
- on the domain i have the policy for the terminal-server-usernames. from
KB-articles i know that the password policy _must_ be set for the
default-domain-policy (KB 269236).
- on the domain-controller OU i have some settings that are not directly
connected with locking down the user-session, the folder redirection, hiding
local drives and some settings are the same as on the site (what may be a
problem).

so, some paremters are defined twice. i had problems with "disconnected"
group policies (i had to unlink and link them again according to
www.evintid.net, eventid 1000 userenv, How to unlink a windows 2000 group
policiy).

secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce
plus rebooting did not work.

so, how can i make my password policies work? i would like to set the length
and complexity etc. but changes do not work.

thank you

arno

 

[Lanwench [MVP - Exchange]]

Ugh - I'm not sure how to address your specific issues, but to head them off
at the pass, is there any way you can migrate TS to another server? I'm sure
you have lots of workstation apps installed on the server to use TS, and
that is just not wise on a DC.

 

[arno schoblocher]

hi lanwench,

at the pass, is there any way you can migrate TS to another server?

we're only 15 users, a printserver is already one server too much... so i
should set up a cheap pc to play the domain controller (what must be a real
heavy workload in my environment, at least 3 sec of cpu-usage per day)?

if you forget my problem description, what else can i do if the password
policy of the default-domain-policy does not work?

should i
- delete all policies and enter new ones?
- reinstall the server (without any trial and error)?
- upgrade my printserver to a domain controller?
- ...

all other policies work fine within seconds.

bye

arno

 

[Matjaz Ladava [MVP]]

You can have only one domain password policy defined in your domain. If you
need different password policies you need multiple domains. So you need to
setup only one GPO at domain level, which controls password policies. You
can unlink a GPO from a OU, by selecting the GPO in the OU and press Delete
button. Select that you only wish to delete the link and not the policy. Of
course as everything in AD, you need to see that your DNS settings are
right. Run dcdiag and netdiag on your DC to get more detailed status report.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), MVP
(e-mail address removed)
http://ladava.com

 

[arno schoblocher]

hello matjaz,

i don't know if i get your point right:

i have settings for the password policy only on the domain, but i have 3
GPO's. should i unlink the other policies (on domain controller and site)
and enter all the settings in the policy of the domain? i do not want (and
need) more than one password policy.

dcdiag gives me an application error (translated from german): >The
procedure jump-in-point "DsIsMangledDnW" could not be found in dll
"NTDSAPI.dll"<. this happens everytime eg. on "dcdiag /h". netdiag looks ok
for me. i installed the tools without rebooting (this will happen
overnight).

regards

arno

You can have only one domain password policy defined in your domain. If you
need different password policies you need multiple domains. So you need to
setup only one GPO at domain level, which controls password policies. You
can unlink a GPO from a OU, by selecting the GPO in the OU and press Delete
button. Select that you only wish to delete the link and not the policy. Of
course as everything in AD, you need to see that your DNS settings are
right. Run dcdiag and netdiag on your DC to get more detailed status

report.

 

[Matjaz Ladava [MVP]]

Maybe we understood each other wrong ;-). I have just said, that GPO that
controls password policy must be set on domain level. Other policies can be
set wherever you need them. I encourage people to define other policies on
OU's rather than on domain level, because I have seen too many people lock
themselves out, because they were setting all GPO's on domain level. My
point was, that If you set password policy on Domain Controllers OU, it
won't have any effect.
Now, for your error you are getting in dcdiag. Where are you running this
tool from ? It must be run on the DC. sometimes it helps reinstalling
adminpack.msi or applying latest SP.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), MVP
(e-mail address removed)
http://ladava.com

 

[arno schoblocher]

I have just said, that GPO that

controls password policy must be set on domain level. Other policies can be
set wherever you need them.

this is what i did.

I have seen too many people lock
themselves out

this almost never happened to me

Now, for your error you are getting in dcdiag. Where are you running this
tool from ? It must be run on the DC.

i run it as admin on the DC=TermnialServer. i have an event with event ID
26, source "application". i did not find anything related on
www.eventid.net.

sometimes it helps reinstalling
adminpack.msi

what's this? i just installed dcdiag-setup.exe from MS-website

or applying latest SP.

i have everything before SP4 which i _will_not_install_.

regards

arno

 

[arno schoblocher]

thank you matjaz,

http://support.microsoft.com/?id=250842

i will work through this! maybe i'll come back with some more specific
details from logfiles in a new thread.

re. SP4: i did not find anything suitable in the list of solved problems of
SP4 (KB 327194)

arno

 

[Matjaz Ladava [MVP]]

Sometimes applying SP just replaces some system dll-s which were changed by
other software and you don't know that they were replaced. If you suspect
that a system dll could be wrong, you can run sfc /scannow which will scan
your computer for invalid system files and replace them from Windows CD-ROM
if necessary.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), MVP
(e-mail address removed)
http://ladava.com

 

[arno schoblocher]

that a system dll could be wrong, you can run sfc /scannow
i have the same problem on the test-machine, the command did not change
anything there. the SP4 installation crashed on the testmachine.

i'll try something else as mentioned before.

arno

 

[Matjaz Ladava [MVP]]

I believe you must set the policy to "disabled" and not "not defined" to
revert and dissable the policy. Try.

 

[arno schoblocher]

I believe you must set the policy to "disabled" and not "not defined" to
revert and dissable the policy. Try.

test machine:
i successfully reset the settings (complexity disabled, password length=0).
then i set them back (enabled, 4) and it worked.

productive machine:
the same procedure did not work.

i worked only with the "default domain policy". now, on the productive
machine the password policies of the "domain controller" and the "site" were
also set and set back to "not defined".

before i cause some more confusion: should i set all entries of all the
other password policies to "disabled" or "0" instead of not defined?

best regards

arno

 

[arno schoblocher]

Maybe you could install GPMC (Group policy

Management) console. This will enable you to browse your AD policies more
easily and get a report what policies are set at specific OU.

we agree, that the only the default domain policy is of interest and that
there is a windows 2000 "internal" confusion coming from the use of one
machine as DC = TerminalServer what is not the recommended setup. however,
there cannot be a confusion with other policies. so, my problem is that
these six settings obviously are not applied when users log on without an
error message. can the GPMC tell me, why some settings are _not_ applied? i
am asking this because i would have to set up a winXP-machine for the GPMC
according to the FAQ of GPMC.

is it possible to _fully_ delete the default domain policy and then create a
new one, so that windows will setup everything again from scratch?

arno

 

[Matjaz Ladava [MVP]]

Yes, for GPMC to function you need one XP box somewhere. Unfortunatly you
can not reset Domain Policy or Domain Controllers Policy on Windows 2000.
This option is available on domains with at least one WS2k3 DC.
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtech
nol/windowsserver2003/proddocs/entserver/DCGPOFix.asp) .Your last resort is,
to cal MS PSS (Product Support Services), to help you out on your problem.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), MVP
(e-mail address removed)
http://ladava.com

 

[arno schoblocher]

matjaz,

thank you a lot for your help. i will proceed with
http://support.microsoft.com/?id=250842
that tells me what logs to prepare for MS-Support.

best wishes

arno

 

[Matjaz Ladava [MVP]]

No problem Arno. If you find out what the problem was, please drop me a
mail, as I like to know, what part of the problem/solution I missed ;-)

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), MVP
(e-mail address removed)
http://ladava.com