Group policy and Group shield??

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I set up a group policy to take affect on our passwords (length, expiration,
etc) and should of started today, but it did not take affect. I also received
various messages from Alert Manager (Group Shield) this morning and was
wondering if there is any connection. Has anyone experienced a group policy
not working due to their virus protection? Is it possible? Any suggestions?
 
WetBehindEars said:
I set up a group policy to take affect on our passwords (length, expiration,
etc) and should of started today, but it did not take affect. I also received
various messages from Alert Manager (Group Shield) this morning and was
wondering if there is any connection. Has anyone experienced a group policy
not working due to their virus protection? Is it possible? Any
Click to expand...
suggestions?

Anything is possible but firewalls are more likely
to cause problems than virus (but some security
suite programs now have both.)

Did you link the Group Policy to the DOMAIN?

(Only Domain-Linked GPOs will affect the password,
lockout or Kerberos policies. They are domain
specific.)
 
Yes, it is at the domain level. How could a firewall cause the problem if
everyone is behind it? For some reason I think it is related to Group
Shield/McAfee, but not really sure. Any other suggestions?
 
Wet,

I will admin right off the bat that I am not a fan of McAfee AntiVirus
software. I am a big fan of Norton and TrendMicro. Not sure that your Anti
Virus software is necessarily causing any problems with this, though.

Let's do some basic troubleshooting:

Where did you create this Password Policy?
What are the settings?
Is it a separate GPO or is it included with some other GPO? If so, are the
other parts working?
Why do you think that it should have started today?
Do you have any GPOs that are working?
Have you made sure that DNS is correct? And that all of the clients point
only to YOUR internal DNS Servers ( and not the ISP's )?
Have you run 'net accounts' on the Domain Controllers as well as on some of
the clients? How does that look?

I would start there!

I would also suggest that you implement complexity - if you have not done
so - and educate your users as to what that means. Furthermore, I would
suggest contacting MS-PSS and getting the fix for the error message that the
user is given if he/she attempts to change the password to something that
does not meet with the complexity rules. Out of the box the error message
is not very useful or informative at all. The new error message - once you
implement the change - is very specific! The user just needs to read it!

http://support.microsoft.com/?id=821425

The call to MS-PSS does not cost you anything as long as you mention that
you are looking for the fix as discussed in that MSKB Article. They will
e-mail it to you......Just make sure to give them a valid e-mail address!

You might also want to take a look at this:

http://support.microsoft.com/?id=309799

Might be a bit too much but in my opinion you can never have too much
security. Just educate the users!


--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
WetBehindEars said:
Yes, it is at the domain level. How could a firewall cause the problem if
everyone is behind it?
Click to expand...

In that case it probably couldn't but many people are running
all sorts of firewall software internally -- XP sp2 even turns
one on by default and many people running virus suite software
have the included personal firewall software on, sometimes
without even knowing it.
For some reason I think it is related to Group
Shield/McAfee, but not really sure. Any other suggestions?
Click to expand...

First check your authentication and DNS. Most
such problems are related to those.

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /server:DC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
 
Well it was working last week because part of the security GP was a splash
screen I had created that popped up when users went to log onto the network.
Now that screen does not appear anymore.
 
As Cary said, check his suggestions, and note
that if it worked last week this argues even stronger
for a lack of authentication or access to the DCs
from the computer.

Or that in the interval the computer account has
become hosed -- <right click> Reset in AD Users/Computers

But recognize before you do this that most such
problems are DNS problems, then authentication
in general (those authentication problems NOT due
to DNS problems.)
 
Back
Top