J
Jacky Ho
I've a default domain controller group policy.
This is policy is applied to DC.
However, I found the account policies setting in windows settings in
computer configuration cannot update to the DC
after I change those settings in the default domain controller group policy.
I try to change the max. size of application log and then use command
"secedit /refreshpolicy machine_policy /enforce".
The changes on the application log is updated.
And I use gpresult and found the DC is now only applied this group policy
only on security settings.
The following are the details of the group policy and effective settings :
Default DC policy
Effective settings
Password Policy :
Enforce password history : 24
24
Max. password age: 70 days
70 days
Min. password age: 2 days
2 days
Min. password length : 8
8
Passwords must meet complexity : Enabled Enabled
Account Lockout Policy :
Account lockout duration : Not defined 0
Account lockout threshold: 0 invalid 3
invalid
Reset account lockout counter after Not defined 90 minutes
Kerberos Policy :
Enforce user logon restrictions : Not defined
Disabled
Max . lifetime for service ticket : Not defined
600 mins.
Max. lifetime for user ticket : Not defined
10 hours
Max. lifetime for user ticket : Not defined
7 days
Max. tolerance for computer clock synchronization : Not defined
5 mins.
I also try to change all settings in account lockout policy to some values,
not " not defined".
and then secedit to update the policy but still the effective settings not
change.
Please Help.
Jacky
This is policy is applied to DC.
However, I found the account policies setting in windows settings in
computer configuration cannot update to the DC
after I change those settings in the default domain controller group policy.
I try to change the max. size of application log and then use command
"secedit /refreshpolicy machine_policy /enforce".
The changes on the application log is updated.
And I use gpresult and found the DC is now only applied this group policy
only on security settings.
The following are the details of the group policy and effective settings :
Default DC policy
Effective settings
Password Policy :
Enforce password history : 24
24
Max. password age: 70 days
70 days
Min. password age: 2 days
2 days
Min. password length : 8
8
Passwords must meet complexity : Enabled Enabled
Account Lockout Policy :
Account lockout duration : Not defined 0
Account lockout threshold: 0 invalid 3
invalid
Reset account lockout counter after Not defined 90 minutes
Kerberos Policy :
Enforce user logon restrictions : Not defined
Disabled
Max . lifetime for service ticket : Not defined
600 mins.
Max. lifetime for user ticket : Not defined
10 hours
Max. lifetime for user ticket : Not defined
7 days
Max. tolerance for computer clock synchronization : Not defined
5 mins.
I also try to change all settings in account lockout policy to some values,
not " not defined".
and then secedit to update the policy but still the effective settings not
change.
Please Help.
Jacky