List all active policies

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Is there a way to list all active policies effecting my domain? The reason i
ask is i went to create a new user today and the passoword i put in was
rejected. I had remembered playing with the password policy a while back, so
i was able to make a temp password that met the requirments, but i am unable
to find where that policy is in effect. Any help would be greatly
appreciated.

Ben
 
Ben said:
Is there a way to list all active policies effecting my domain? The reason i
ask is i went to create a new user today and the passoword i put in was
rejected. I had remembered playing with the password policy a while back, so
i was able to make a temp password that met the requirments, but i am unable
to find where that policy is in effect. Any help would be greatly
appreciated.

Ben
Click to expand...

Google RSOP (resultant Set of Policies)

Kurt
 
www.microsoft.com/gp
and follow the links to get GPMC
This tool both shows the GPOs linked, to where, with
what priority, and also have resultant policy features.

You probably will need to set the password policy to
what you want, in a domain linked GPO that has the
highest priority.
 
Great. Thank you both for your help.

Roger Abell said:
www.microsoft.com/gp
and follow the links to get GPMC
This tool both shows the GPOs linked, to where, with
what priority, and also have resultant policy features.

You probably will need to set the password policy to
what you want, in a domain linked GPO that has the
highest priority.
Click to expand...
 
Great. Thank you both for your help.






- Show quoted text -
Click to expand...

Hi,

RSOP is great tool to find policies and the settings from the
policies. You mention that you changed the password policy
"somewhere"
Well, look in the default domain policy to see if this is where you
have made the changes unless you linked a group policy higher up in
priority.
I say this because this is the only policy that you can set the domain
password policy.

Good Luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
 
All 6 password policy settings inthe the default domain controllers policy
are set to 'not defined'. Is that all there should be or are there more
settings someplace i do not know about? Thanks for your help.

Ben
 
All 6 password policy settings inthe the default domain controllers policy
are set to 'not defined'. Is that all there should be or are there more
settings someplace i do not know about? Thanks for your help.

Ben







- Show quoted text -
Click to expand...


Hi,

Wrong policy bud, you are looking at the default DOMAIN CONTROLLERS
policy.
You need to look at the DEFAULT DOMAIN policy.
This policy must be applied to the domain controllers.

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopsoft.com
 
That would explain a few things...
I logged into my DC the start->Programs->Admin Tools->Domain Security Policy
(i assume this is the correct one) and when i select it i get 'Failed to open
the Group Policy Object. You may not have appropriate right. Details: The
specified directory service attribute or value does not exist'

Any idea as to what i do from here?
 
That would explain a few things...
I logged into my DC the start->Programs->Admin Tools->Domain Security Policy
(i assume this is the correct one) and when i select it i get 'Failed to open
the Group Policy Object. You may not have appropriate right. Details: The
specified directory service attribute or value does not exist'

Any idea as to what i do from here?







- Show quoted text -
Click to expand...

Oh boy,

Ok first and formost make sure we are logged in with an account that
has access to the GPO's.
Make sure we only have one NIC enabled on this DC and it is pointed to
a DNS server authoritative for your domain.
Can you open up any other policy?

"Failed to Open the Group Policy Object" Error Message Occurs When You
Try to Open a Policy As a Domain Administrator
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q294257

http://groups.google.com/group/micr...HA.1932%40tkmsftngp05&rnum=1#d1fc5808a480a032


Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
 
I tried what was in the microsoft site and i am still getting the error when
i try to open it up. any other ideas?
 
I tried what was in the microsoft site and i am still getting the error when
i try to open it up. any other ideas?









- Show quoted text -
Click to expand...

Hi,

Ok how many domain controllers do you have and where are they pointed
to for DNS?
Do you have any errors in the FRS event log?
Did you verify the account you are connecting with?
 
I have two DCs and they are pointed to the DC i am logging into for DNS.
there are no errors in the FRS event log. Yes, i am logging in as the domain
Admin.
 
It sounds, now that you have responded to Harj's very pertinent
inquiries, as though you may have a settings issue in a policy, as
the message states, perhaps then causing the GPO to not process
all of its extensions.

If that is so, then . . .

Your shortest route out, unless Harj or another has better idea,
may just be to a) try to recall what all custom settings the default
domain (DD) GPO has had made in it, b) define a new GPO
linked to the domain object above the DD GPO with the needed
of those recalled settings changes, c) use the KB guidance to reset
in a W2k forest the DD GPO to (relatively) inital settings (note:
a better alternative for this step exists if W2k3 functional forest)
 
I would be more than happy to try those suggestions, but i am totally
unfamiliar with how to perform those operations. Any insight as how to do
them?

Thanks,
Ben
 
I would be more than happy to try those suggestions, but i am totally
unfamiliar with how to perform those operations. Any insight as how to do
them?

Thanks,
Ben








- Show quoted text -
Click to expand...

Hi,

I think any one of the suggestions made by Roger would get you back on
track but it comes down to what you wish to do.
Just fix it, or find out what happened and fix it so it never happens
again.
The easiest of the bunch would of course would be to just fix it, and
that is just fine for the most but sometimes root cause is needed.
You mention that you do not remember where you changed the settings so
maybe suggestion A is not the route.
Suggestion B sounds good but that would mean a policy is still around
causing this issue in the first place.
Suggestion C is the easiest UNLESS this is being caused by a policy
higher up than the default domain policy linked to the domain.
If your AD is W2K, you can use a tool called recreatedefpol which will
recreate BOTH default policies...domain and domain controllers.
If you go this route, I would backup your Default domain controllers
policy (as you have not mentioned any errors with this one) to know
all your settings before reverting to default.
If your AD is W2K3, you can run dcgpofix and specify which policy you
wish to revert to default. The domain policy or the default domain
controllers policy.

You have yet to mention how many group policies you have linked at
your domain level.
When you open up GPMC and click on your domain, how many policies are
linked? And which one is sitting with the link order of 1?

Good luck

Harj Singh
Password Policy Done Right
www.specopssoft.com
 
I am running AD in a W2K environment. I ran the recreatedefaultpol though i
am still getting the same error when trying to open up the Default Domain
Policy. Also I am still seeing that a Password Policy is in effect somewhere.

I only have one policy linked, and that is called FAPCO. This one does not
have a password policy enabled in it.

Ben
 
I am running AD in a W2K environment. I ran the recreatedefaultpol though i
am still getting the same error when trying to open up the Default Domain
Policy. Also I am still seeing that a Password Policy is in effect somewhere.

I only have one policy linked, and that is called FAPCO. This one does not
have a password policy enabled in it.

Ben








- Show quoted text -
Click to expand...

Hi,

On a client machine, please run net accounts and post the output.
What does gpresults /v give you?
Where exactly is this FAPCO policy linked in AD? Above the default
domain policy at the domain level?
Is the default domain policy applying to the domain controllers OU?

Good luck

Harj Singh
Password Policy Done Right
www.specopssoft.com
 
These are the results of the 'net accounts'
Workstation:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\ben>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.


C:\Documents and Settings\ben>

Domain Controller:
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator.FAPINS>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 30
Maximum password age (days): 60
Minimum password length: 8
Length of password history maintained: 3
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.


C:\Documents and Settings\Administrator.FAPINS>

gpresults /v comes back as an unknown command.

FAPCO policy is linked at the top of the domain and it is the only policy
linked to the domain.

No, the Default Domain Policy is not linked to the DC OU, only the Default
Domain Controllers Policy is. At least that is all i see in the Group Policy
Tab.

Once Again,
Thanks for you help.
 
I am running AD in a W2K environment. I ran the recreatedefaultpol though i
am still getting the same error when trying to open up the Default Domain
Policy. Also I am still seeing that a Password Policy is in effect somewhere.

I only have one policy linked, and that is called FAPCO. This one does not
have a password policy enabled in it.

Ben








- Show quoted text -
Click to expand...

Hi,

On a client machine, please run net accounts and post the output.
What does gpresults /v give you?
Where exactly is this FAPCO policy linked in AD? Above the default
domain policy at the domain level?
Is the default domain policy applying to the domain controllers OU?

Good luck

Harj Singh
Password Policy Done Right
www.specopssoft.com
 
These are the results of the 'net accounts'
Workstation:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\ben>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.


C:\Documents and Settings\ben>

Domain Controller:
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator.FAPINS>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 30
Maximum password age (days): 60
Minimum password length: 8
Length of password history maintained: 3
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.


C:\Documents and Settings\Administrator.FAPINS>

gpresults /v comes back as an unknown command.

FAPCO policy is linked at the top of the domain and it is the only policy
linked to the domain.

No, the Default Domain Policy is not linked to the DC OU, only the Default
Domain Controllers Policy is. At least that is all i see in the Group Policy
Tab.

Once Again,
Thanks for you help.
 
Back
Top