When I opened up GPMC and selected my domain, only the FAPCO policy showed
up. When I right clicked the domain and selected link existing gpo my
default domain policy was not there. I checked on the Domain Controllers OU
and policy inheritance is not blocked. So, it seems to me, somehow the
default domain policy has been deleted?
Here are the results from gpresult /v
DC:Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator.FAPINS>gpresult /v
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Tuesday, May 22, 2007 at 2:28:19 PM
Operating System Information:
Operating System Type: Domain Controller
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Remote Administration
###############################################################
User Group Policy results for:
CN=Administrator,CN=Users,DC=fapins,DC=fapeabody,DC=com
Domain Name: FAPINS
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming profile: \\houlton-dc\profiles$\administrator
Local profile: C:\Documents and Settings\Administrator.FAPINS
The user is a member of the following security groups:
FAPINS\Domain Admins
\Everyone
BUILTIN\Administrators
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
FAPINS\Exchange Services
FAPINS\Group Policy Creator Owners
FAPINS\Exchange Domain Servers
FAPINS\Enterprise Admins
FAPINS\Schema Admins
FAPINS\Exchange Enterprise Servers
The user has the following security privileges:
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Increase quotas
Remove computer from docking station
Impersonate a client after authentication
Create global objects
Enable computer and user accounts to be trusted for delegation
Add workstations to domain
###############################################################
Last time Group Policy was applied: Tuesday, May 22, 2007 at 2:14:51 PM
Group Policy was applied from: HOULTON-FS.fapins.fapeabody.com
===============================================================
The user received "Registry" settings from these GPOs:
Local Group Policy
Revision Number: 3
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
The following settings were applied from: Local Group Policy
KeyName:
Software\Microsoft\Windows\CurrentVersion\Policies\Explo
rer
ValueName: **del.NoAddPrinter
ValueType: REG_SZ
Value:
KeyName: Software\Policies\Microsoft\Windows NT\Printers\Wizard
ValueName: Downlevel Browse
ValueType: REG_DWORD
Value: 0x00000001
###############################################################
Computer Group Policy results for:
CN=HOULTON-FS,OU=Domain Controllers,DC=fapins,DC=fapeabody,DC=com
Domain Name: FAPINS
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
FAPINS\HOULTON-FS$
FAPINS\Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
###############################################################
Last time Group Policy was applied: Tuesday, May 22, 2007 at 2:26:16 PM
Group Policy was applied from: HOULTON-FS.fapins.fapeabody.com
===============================================================
The computer received "Registry" settings from these GPOs:
Local Group Policy
Revision Number: 32
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
The following settings were applied from: Local Group Policy
KeyName: Software\Policies\Microsoft\SystemCertificates\EFS
ValueName: EFSBlob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName:
Software\Policies\Microsoft\SystemCertificates\EFS\Certi
ficates\61E8368B9B712659969F5A20840AA2DD11824610
ValueName: Blob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName:
Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName:
Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
===============================================================
The computer received "Security" settings from these GPOs:
Local Group Policy
Revision Number: 32
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Controllers Policy
Revision Number: 3
Unique Name: {6AC1786C-016F-11D2-945F-00C04fB984F9}
Domain Name: FAPINS.FAPEABODY.COM
Linked to: Organizational Unit (OU=Domain
Controllers,DC=fa
pins,DC=fapeabody,DC=com)
Run the Security Configuration Editor for more information.
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Revision Number: 32
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Additional information is not available for this type of policy
setting.
C:\Documents and Settings\Administrator.FAPINS>
Client:
OS Version: 5.1.2600
Domain Name: FAPINS
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\ben
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=BEN-HP,CN=Computers,DC=fapins,DC=fapeabody,DC=com
Last time Group Policy was applied: 5/22/2007 at 1:58:42 PM
Group Policy was applied from: houlton-dc.fapins.fapeabody.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
FAPCO
Filtering: Denied (Security)
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
BEN-HP$
Domain Computers
Resultant Set Of Policies for Computer:
----------------------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
N/A
Audit Policy
------------
N/A
User Rights
-----------
N/A
Security Options
----------------
N/A
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=Ben Lynds,CN=Users,DC=fapins,DC=fapeabody,DC=com
Last time Group Policy was applied: 5/22/2007 at 1:32:12 PM
Group Policy was applied from: houlton-dc.fapins.fapeabody.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
FAPCO
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
Domain Admins
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Domain Users
Enterprise Admins
FAPUSERS
Resultant Set Of Policies for User:
------------------------------------
Software Installations
----------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: FAPCO
Setting: Software\Policies\Microsoft\Windows
NT\Printers\PointAn
dPrint
State: disabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer
State: Enabled
GPO: FAPCO
Setting: Software\Policies\Microsoft\Windows
NT\Printers\PointAn
dPrint
State: Enabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer
State: Enabled
GPO: FAPCO
Setting: Software\Policies\Microsoft\Windows\NetCache
State: Enabled
GPO: FAPCO
Setting: Software\Policies\Microsoft\Windows\NetCache
State: Enabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer
State: Enabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Unin
stall
State: Enabled
GPO: FAPCO
Setting: Software\Policies\Microsoft\Windows\NetCache
State: Enabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Acti
veDesktop
State: disabled
GPO: FAPCO
Setting: Software\Policies\Microsoft\Windows NT\Terminal
Service
s
State: Enabled
GPO: FAPCO
Setting: Software\Policies\Microsoft\Windows
NT\Printers\PointAn
dPrint
State: Enabled
GPO: FAPCO
Setting: Software\Policies\Microsoft\Windows
NT\Printers\PointAn
dPrint
State: Enabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Wind
owsUpdate
State: Enabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer
State: Enabled
GPO: FAPCO
Setting:
Software\Policies\Microsoft\Windows\CurrentVersion\Inte
rnet Settings\AllowedControls
State: Enabled
GPO: FAPCO
Setting:
Software\Policies\Microsoft\Windows\CurrentVersion\Inte
rnet Settings\Zones\3
State: Enabled
GPO: FAPCO
Setting:
Software\Policies\Microsoft\Windows\CurrentVersion\Inte
rnet Settings\AllowedControls
State: Enabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer
State: Enabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
State: disabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer
State: Enabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer
State: Enabled
GPO: FAPCO
Setting:
Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
State: disabled
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
----------------------------------------
GPO: FAPCO
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: F.A. Peabody Company
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
----------------------------
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No
Internet Explorer URLs
----------------------
GPO: FAPCO
Home page URL:
http://fapnet.FAPeabody.com
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: FAPCO
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: Yes
Import current Authenticode Security Information: Yes
Enable trusted publisher lockdown: No
Internet Explorer Programs
--------------------------
GPO: FAPCO
Import the current Program Settings: No
C:\Documents and Settings\ben>
Thanks,
Ben
Harj said:
These are the results of the 'net accounts'
Workstation:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\ben>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
C:\Documents and Settings\ben>
Domain Controller:
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator.FAPINS>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 30
Maximum password age (days): 60
Minimum password length: 8
Length of password history maintained: 3
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
C:\Documents and Settings\Administrator.FAPINS>
gpresults /v comes back as an unknown command.
FAPCO policy is linked at the top of the domain and it is the only policy
linked to the domain.
No, the Default Domain Policy is not linked to the DC OU, only the Default
Domain Controllers Policy is. At least that is all i see in the Group Policy
Tab.
Once Again,
Thanks for you help.
Harj said:
I am running AD in a W2K environment. I ran the recreatedefaultpol though i
am still getting the same error when trying to open up the Default Domain
Policy. Also I am still seeing that a Password Policy is in effect somewhere.
I only have one policy linked, and that is called FAPCO. This one does not
have a password policy enabled in it.
:
I would be more than happy to try those suggestions, but i am totally
unfamiliar with how to perform those operations. Any insight as how to do
them?
:
It sounds, now that you have responded to Harj's very pertinent
inquiries, as though you may have a settings issue in a policy, as
the message states, perhaps then causing the GPO to not process
all of its extensions.
If that is so, then . . .
Your shortest route out, unless Harj or another has better idea,
may just be to a) try to recall what all custom settings the default
domain (DD) GPO has had made in it, b) define a new GPO
linked to the domain object above the DD GPO with the needed
of those recalled settings changes, c) use the KB guidance to reset
in a W2k forest the DD GPO to (relatively) inital settings (note:
a better alternative for this step exists if W2k3 functional forest)
I have two DCs and they are pointed to the DC i am logging into for DNS.
there are no errors in the FRS event log. Yes, i am logging in as the
domain
Admin.
I tried what was in the microsoft site and i am still getting the error
when
i try to open it up. any other ideas?
:
That would explain a few things...
I logged into my DC the start->Programs->Admin Tools->Domain
Security Policy
(i assume this is the correct one) and when i select it i get
'Failed to open
the Group Policy Object. You may not have appropriate right.
Details: The
specified directory service attribute or value does not exist'
Any idea as to what i do from here?
:
All 6 password policy settings inthe the default domain
controllers policy
are set to 'not defined'. Is that all there should be or are
there more
settings someplace i do not know about? Thanks for your help.
:
On May 15, 7:35 am, Ben <
[email protected]>
wrote:
Great. Thank you both for your help.
:
www.microsoft.com/gp
and follow the links to get GPMC
This tool both shows the GPOs linked, to where, with
what priority, and also have resultant policy features.
You probably will need to set the password policy to
what you want, in a domain linked GPO that has the
highest priority.
Is there a way to list all active policies effecting my
domain? The
reason i
ask is i went to create a new user today and the
passoword i put in was
rejected. I had remembered playing with the password
policy a while back,
so
i was able to make a temp password that met the
requirments, but i am
unable
to find where that policy is in effect. Any help would
be greatly
appreciated.
- Show quoted text -
RSOP is great tool to find policies and the settings from
the
policies. You mention that you changed the password policy
"somewhere"
Well, look in the default domain policy to see if this is
where you
have made the changes unless you linked a group policy higher
up in
priority.
I say this because this is the only policy that you can set
the domain
password policy.
Harj Singh
Power Your Active Directory Investment
www.specopssoft.com-Hidequotedtext-
- Show quoted text -
Wrong policy bud, you are looking at the default DOMAIN
CONTROLLERS
policy.
You need to look at the DEFAULT DOMAIN policy.
This policy must be applied to the domain controllers.
Harj Singh
Power Your Active Directory Investment
www.specopsoft.com-Hidequotedtext-
Ok first and formost make sure we are logged in with an account that
has access to the GPO's.
Make sure we only have one NIC enabled on this DC and it is pointed
to
a DNS server authoritative for your domain.
Can you open up any other policy?
"Failed to Open the Group Policy Object" Error Message Occurs When
You
Try to Open a Policy As a Domain Administrator
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q294257
Good luck
Harj Singh
Power Your Active Directory Investment
www.specopssoft.com-Hidequotedtext -
- Show quoted text -
Ok how many domain controllers do you have and where are they pointed
to for DNS?
Do you have any errors in the FRS event log?
Did you verify the account you are connecting with?- Hide quoted text -
- Show quoted text -
I think any one of the suggestions made by Roger would get you back on
...
read more »- Hide quoted text -
- Show quoted text -
Hi,
Sorry about that, the command is actuall gpresult /v
Ok, let's look at the results you have sent me. The first one comes
from a client machine and the second from a DC.
Client:
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Domain controller:
Minimum password age (days): 30
Maximum password age (days): 60
Minimum password length: 8
Length of password history maintained: 3
When you open up GPMC, in the left pane click on your domain.
If you do not see default domain policy on the right pane under linked
Group Policy Objects after clicking your domain as above, your default
domain policy is not linked.
I would right click your domain and choose link existing GPO and
select the default domain policy.
Right click the Domain Controllers OU and make sure we do not have
block inheritance checked.
Initiate a group policy refresh on the domain controllers by running
gpupdate on the DC's.
Verify in the application log that we do not have any errors with
group policies applying.
Verify in the FRS log that we only have 13516 or 13509 listed as the
most latest event.
Now, if all above goes good you should now have a default domain
policy linked at the domain level applying to the domain controllers.
We now have to see if we can go into the policy now and change the
settings. I have a solid feeling that the registry is tattooed so we
need go in and make changes to the password policy.
Please let us know how this goes.
Good luck
Harj Singh
Password Policy done right
www.specopssoft.com
