DC GPO - password policies not enforced

  • Thread starter Thread starter Jeremy Sun
  • Start date Start date
J

Jeremy Sun

In the Domain DC GPO, I have changed some files system security and suddenly
the password policies failed.

The password policies settings are still in the GPO file. I can read the
settings from the AD users and Computers. However when I log onto a DC and
check the local security settings, it says "not defined" for the password
policies. All other policies are in effect and there is no error in the
event log.

When I look into the winlogon.log, all errors I can find is the

error 0 to send control flag 1 over to server
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND

and a file fail file system security items which is quite normal.

Any idea?

Any solution?

Thanks in advance.
 
Is the password policy defined in the default domain policy? If not, it must
be defined there.

What did you change that prompted this?

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com
 
Brian Desmond said:
Is the password policy defined in the default domain policy? If not, it must
be defined there.
Click to expand...

It was defined. It is defined. In fact, most if not all items in the default
domain controller policy - machine are defined.

All policies including security, auditing, file system, registry, etc
reflect on the domain controller on the next update.

When I start the "local security setting" on one of the DCs it said those
settings are effective.

however password policy is marked "NOT defined" on the local although they
are defined in the policy.

In fact, not even the local policy on the DC is effective.

So I have something like this:

Local defined password age: 42 days
Policy defined password age: 90 days
Effective password age: not defined.
What did you change that prompted this?
Click to expand...

1) I have added a new DC to the domain
2) The DC did no take in the DC policies so I went though the DC policies
3) I removed some dupicated entries in the file system section
4) I removed all "Everyone" security right from the remain entries in the
file system section
5) I removed all "Server Operator" security right from the remain entries in
the file system section
6) The new DC is still not working, so I debug the winlogon and found that
it missed the %sysvol% variable
7) The new DC is finally taking in the DC policies, I found that the
password policies are not working
8) I found that the password policies are not working on other DCs as well
9) I am very sure that the password policies was working the week before
because I made some small adjustment
 
Then what are those settings that said "local security settings" on the
Domain Controllers?
 
Back
Top