Default Domain Policies
By default, two polices are created when you dcpromo a server: Default Domain Policy, and Default Domain Controllers Policy. These polices should have guids of {31B2F340-016D-11D2-945F-00C04FB984F9} and {31B2F210-016D-11D2-945F-00C04FB981F1} respectively. However, in my 2003 domain, someone had renamed the default domain policy and put a new one named "Default Domain Policy". To make things worse, the Default Domain Controller Policy is missing but a new policy called "Default Domain Controllers Policy" is in its place. I currently have the following:
Default Domain Policy -> {C0C9ADF5-8E49-499C-87B2-2804931871DA}
Default Domain Policy - Disabled Original -> {31B2F340-016D-11D2-945F-00C04FB984F9}
Default Domain Controllers Policy -> {6AC1786C-016F-11D2-945F-00C04fB984F9}
I do not have backups of the original policies. I suspect the polices have been in this state for at least a year if not longer.
What is the impact of leaving the policies in their current state?
Should I attempt to restore the original policies using dcgpofix.exe?
Will using dcgpofix cause any issues with my Exchange 2003 or SMS 2003 environments?
Thanks,
Sean
Hi,
The default policies created by the system should be:
Default Domain Policy
{31B2F340-016D-11D2-945F-00C04FB984F9}
Default Domain Controllers Policy
{6AC1786C-016F-11D2-945F-00C04fB984F9}
These two policies are built-in policies that define default settings applies to domain users and computers.
In this issue, I’d like to know whether the original Default Domain Policy is still linked to the domain or not. If yes, it will be OK even though it is renamed.
Regards,
Miles Li
Microsoft Online Community Support
Similar Messages
-
Default Domain Policy security settings block inheritance
I know this has been answered in one way but just to clarify, in our case default domain policy contains password security policies, Network security: LAN Manager authentication level, and some
Public Key Policies/Trusted Root
Certification Authorities settings. All of these are on computer settings, user side is disabled and is not Enforced.
Question is that if further down AD there is a inheritance filter applied, would all of the settings form Default domain policies would pass through or just security settings?
I find that they have also linked the default domain policy at OUs where they have put inhetitance filter, probably thinking that they wanted to filter out every other policy but the default domain policy.
Thanks
NSW DECCHi,
>>Question is that if further down AD there is a inheritance filter applied, would all of the settings form Default domain policies would pass through or just security settings?
The default domain policy will be blocked by enabling block inheritance at OU level. As Ramu suggested, we can enforce the default domain policy to prevent it from being blocked.
In addition, regarding this question, the following thread can also be referred to for more information.
Can I block inheritance of "Default Domain Policy"?
http://social.technet.microsoft.com/Forums/en-US/ce5173b8-b803-4e50-b05b-c4a5677bf9ba/can-i-block-inheritance-of-default-domain-policy?forum=winserverGP
Best regards,
Frank Shen -
How do I move the policy from Default domain policy to a custom policy.
I want to implement a new password policy. In the past we had a fairly loose policy, now I want to implement minimum length and complexity. I know how to set this up in Computer Config Policies windows settings security settings and account policies
password policy. However after I set it up I notice that it is not being applied. I have run gpupdate, and even waited several days but still it's not taking effect. I have created what im calling a custom gpo calling it "password policy".
It is situated under domains/mydomain.com . There are a number of other policies here.
When I run gpresult /h c:\temp\gpreport.html its all a bit confusing. It looks like it being applied but then further down it says under Group policies Applied GPOs Denied GPOs Pssword Policy mydomain.com empty. ??
But let me ask this first off .
The previous administrator I think has the password policy set up in the "default domain policy"
Is it possible that the default domain policy which IS indeed set differently is overriding my custom "password policy"
If this is so how can I make it so my custom password policy is applied over the default domain policy.
Or what other answers could it be.Hi,
Based on your requirement you can create Fine Grained Password Policies.
This feature introduced in Windows Server 2008 allows you to override password policy set at the Default Domain Policy for specific users or groups.
Checkout the below link for creating Fine Grained Password Policies from GUI in Windows Server 2012,
http://blogs.technet.com/b/reference_point/archive/2013/04/12/fine-grained-password-policies-gui-in-windows-server-2012-adac.aspx
Regards,
Gopi
JiJi
Technologies -
An error occurred while building the default domain - New version of error
I have installed JDeveloper Studio Edition Version 11.1.1.2.0. I used an temporary Admin account on the machine to install (organization security does not allow normal users to have admin accounts) and it runs perfectly well under that account.
When I logged in under my normal account though I get an error trying to run the Debugger on the application. The server appears to be the only area of JDeveloper that has issues under this account, and below is the Log:
[Waiting for the domain to finish building...]
[12:51:06 PM] Creating Integrated Weblogic domain...
The Server Instance cannot be started because the Integrated Weblogic domain was not built successfully.
[12:51:20 PM] ERROR: An error occurred while building the default domain.
Please see this log file for more details:
C:\Users\Brian.Hess2\AppData\Roaming\JDeveloper\system11.1.1.2.36.55.36\o.j2ee.adrs\CreateDefaultDomain.log
Log File: C:\Users\Brian.Hess2\AppData\Roaming\JDeveloper\system11.1.1.2.36.55.36\o.j2ee.adrs\CreateDefaultDomain.log
Label: JDEVADF_11.1.1.2.0_GENERIC_091029.2229.5536
Product Home: C:\Oracle\Middleware\jdeveloper\jdev\
Domain: C:\Users\Brian.Hess2\AppData\Roaming\JDeveloper\system11.1.1.2.36.55.36\DefaultDomain
"C:\Oracle\Middleware\oracle_common\common\bin\wlst.cmd" "C:\Users\Brian.Hess2\AppData\Roaming\JDeveloper\system11.1.1.2.36.55.36\o.j2ee.adrs\CreateDefaultDomain.py"
Process started
wlst >
wlst > CLASSPATH=C:\Oracle\MIDDLE~1\patch_wls1032\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\Oracle\MIDDLE~1\patch_jdev1111\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\Oracle\MIDDLE~1\JDK160~1.5-3\lib\tools.jar;C:\Oracle\MIDDLE~1\utils\config\10.3\config-launch.jar;C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\weblogic_sp.jar;C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\weblogic.jar;C:\Oracle\MIDDLE~1\modules\features\weblogic.server.modules_10.3.2.0.jar;C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\webservices.jar;C:\Oracle\MIDDLE~1\modules\ORGAPA~1.0/lib/ant-all.jar;C:\Oracle\MIDDLE~1\modules\NETSFA~1.0_1/lib/ant-contrib.jar;;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jrf_11.1.1/jrf-api.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/jrf-wlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.odl_11.1.1/ojdl.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.odl_11.1.1/ojdl2.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.dms_11.1.1/dms.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.dconfig-infra_11.1.1.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.fabriccommon_11.1.1/fabric-common.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.xdk_11.1.0/xmlparserv2.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.xdk_11.1.0/xml.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.wsm.common_11.1.1/wsm-pmlib.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.wsm.common_11.1.1/wsm-policy-core.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.wsm.common_11.1.1/wsm-secpol.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.wsm.common_11.1.1/wsm-dependencies.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.wsm.policies_11.1.1/wsm-seed-policies.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.webservices_11.1.1/orawsdl.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.webservices_11.1.1/mdds.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.webservices_11.1.1/ws_confmbeans.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/org.apache.commons.digester_1.7.jar;C:\Oracle\MIDDLE~1\ORACLE~1/../modules/javax.xml.bind_2.1.1.jar;C:\Oracle\MIDDLE~1\ORACLE~1/../modules/javax.activation_1.1.jar;C:\Oracle\MIDDLE~1\ORACLE~1/../modules/javax.xml.stream_1.1.1.0.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.http_client_11.1.1.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jmx_11.1.1/jmxframework.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jmx_11.1.1/jmxspi.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.dconfigbeans_11.1.1.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share.ca_11.1.1/adf-share-base.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share.ca_11.1.1/adf-share-ca.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share_11.1.1/adflogginghandler.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share_11.1.1/adfsharembean.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share_11.1.1/commons-el.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share_11.1.1/jsp-el-api.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share_11.1.1/oracle-el.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/auditwlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/sslconfigwlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/oamap_help.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/ossoiap_help.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/jps-wlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.auditprovider_11.1.1/jps-wls-auditprovider.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jps_11.1.1/jps-manifest.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jps_11.1.1/jps-mbeans.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jps_11.1.1/jps-upgrade.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jps_11.1.1/jps-patching.jar;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\lib\ADF-SH~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\lib\mdswlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\AUDITW~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\jps-wlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\jrf-wlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\OAMAP_~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\OAMAUT~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\ossoiap.jar;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\OSSOIA~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\SSLCON~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\wsm-wlst.jar
wlst >
wlst > PATH=C:\Oracle\MIDDLE~1\patch_wls1032\profiles\default\native;C:\Oracle\MIDDLE~1\patch_jdev1111\profiles\default\native;C:\Oracle\MIDDLE~1\WLSERV~1.3\server\native\win\32;C:\Oracle\MIDDLE~1\WLSERV~1.3\server\bin;C:\Oracle\MIDDLE~1\modules\ORGAPA~1.0\bin;C:\Oracle\MIDDLE~1\JDK160~1.5-3\jre\bin;C:\Oracle\MIDDLE~1\JDK160~1.5-3\bin;;C:\Oracle\MIDDLE~1\WLSERV~1.3\server\native\win\32\oci920_8
wlst >
wlst > Your environment has been set.
wlst >
wlst > CLASSPATH=C:\Oracle\MIDDLE~1\patch_wls1032\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\Oracle\MIDDLE~1\patch_jdev1111\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\Oracle\MIDDLE~1\JDK160~1.5-3\lib\tools.jar;C:\Oracle\MIDDLE~1\utils\config\10.3\config-launch.jar;C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\weblogic_sp.jar;C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\weblogic.jar;C:\Oracle\MIDDLE~1\modules\features\weblogic.server.modules_10.3.2.0.jar;C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\webservices.jar;C:\Oracle\MIDDLE~1\modules\ORGAPA~1.0/lib/ant-all.jar;C:\Oracle\MIDDLE~1\modules\NETSFA~1.0_1/lib/ant-contrib.jar;;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jrf_11.1.1/jrf-api.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/jrf-wlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.odl_11.1.1/ojdl.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.odl_11.1.1/ojdl2.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.dms_11.1.1/dms.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.dconfig-infra_11.1.1.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.fabriccommon_11.1.1/fabric-common.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.xdk_11.1.0/xmlparserv2.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.xdk_11.1.0/xml.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.wsm.common_11.1.1/wsm-pmlib.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.wsm.common_11.1.1/wsm-policy-core.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.wsm.common_11.1.1/wsm-secpol.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.wsm.common_11.1.1/wsm-dependencies.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.wsm.policies_11.1.1/wsm-seed-policies.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.webservices_11.1.1/orawsdl.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.webservices_11.1.1/mdds.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.webservices_11.1.1/ws_confmbeans.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/org.apache.commons.digester_1.7.jar;C:\Oracle\MIDDLE~1\ORACLE~1/../modules/javax.xml.bind_2.1.1.jar;C:\Oracle\MIDDLE~1\ORACLE~1/../modules/javax.activation_1.1.jar;C:\Oracle\MIDDLE~1\ORACLE~1/../modules/javax.xml.stream_1.1.1.0.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.http_client_11.1.1.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jmx_11.1.1/jmxframework.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jmx_11.1.1/jmxspi.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.dconfigbeans_11.1.1.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share.ca_11.1.1/adf-share-base.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share.ca_11.1.1/adf-share-ca.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share_11.1.1/adflogginghandler.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share_11.1.1/adfsharembean.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share_11.1.1/commons-el.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share_11.1.1/jsp-el-api.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.adf.share_11.1.1/oracle-el.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/auditwlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/sslconfigwlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/oamap_help.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/ossoiap_help.jar;C:\Oracle\MIDDLE~1\ORACLE~1/common/wlst/resources/jps-wlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.auditprovider_11.1.1/jps-wls-auditprovider.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jps_11.1.1/jps-manifest.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jps_11.1.1/jps-mbeans.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jps_11.1.1/jps-upgrade.jar;C:\Oracle\MIDDLE~1\ORACLE~1/modules/oracle.jps_11.1.1/jps-patching.jar;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\lib\ADF-SH~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\lib\mdswlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\AUDITW~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\jps-wlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\jrf-wlst.jar;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\OAMAP_~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\OAMAUT~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\ossoiap.jar;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\OSSOIA~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\SSLCON~1.JAR;C:\Oracle\MIDDLE~1\ORACLE~1\common\wlst\RESOUR~1\wsm-wlst.jar;C:\Oracle\MIDDLE~1\WLSERV~1.3\common\eval\pointbase\lib\pbembedded57.jar;C:\Oracle\MIDDLE~1\WLSERV~1.3\common\eval\pointbase\lib\pbclient57.jar;C:\Oracle\MIDDLE~1\WLSERV~1.3\common\eval\pointbase\lib\pbtools57.jar
wlst >
wlst > Initializing WebLogic Scripting Tool (WLST) ...
wlst >
wlst > Welcome to WebLogic Server Administration Scripting Shell
wlst >
wlst > Type help() for help on available commands
wlst >
wlst > Creating Default Domain
wlst > Reading template: /C:/Oracle/Middleware/wlserver_10.3/common/templates/domains/wls.jar
wlst > Setting Name to 'DefaultServer'
wlst > Setting ListenAddress to ''
wlst > Setting ListenPort to 7101
wlst > Setting domain administrator to 'weblogic'
wlst > Setting domain password.
wlst > Writing domain: /C:/Users/Brian.Hess2/AppData/Roaming/JDeveloper/system11.1.1.2.36.55.36/DefaultDomain/
wlst > Error: writeDomain() failed. Do dumpStack() to see details.
wlst > Problem invoking WLST - Traceback (innermost last):
wlst > File "C:\Users\Brian.Hess2\AppData\Roaming\JDeveloper\system11.1.1.2.36.55.36\o.j2ee.adrs\CreateDefaultDomain.py", line 68, in ?
wlst > File "C:\Users\Brian.Hess2\AppData\Local\Temp\1\WLSTOfflineIni2950955933333350592.py", line 71, in writeDomain
wlst > at com.bea.plateng.domain.script.jython.CommandExceptionHandler.handleException(CommandExceptionHandler.java:51)
wlst >
wlst > at com.bea.plateng.domain.script.jython.WLScriptContext.handleException(WLScriptContext.java:1497)
wlst >
wlst > at com.bea.plateng.domain.script.jython.WLScriptContext.writeDomain(WLScriptContext.java:786)
wlst >
wlst > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
wlst >
wlst > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
wlst >
wlst > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
wlst >
wlst > at java.lang.reflect.Method.invoke(Method.java:597)
wlst >
wlst >
wlst > com.bea.plateng.domain.script.jython.WLSTException: com.bea.plateng.domain.script.jython.WLSTException: com.bea.plateng.domain.script.ScriptException: java.lang.Exception: Got error in writing the node manager C:\Oracle\Middleware\wlserver_10.3\common\nodemanager\nodemanager.domains property file!
wlst >
Elapsed time: 13686 ms
Any one have any ideas??? Seems like security issue, but this account has full access to it's C:/User/Account folders.
Thanks in advance.Hi,
Can you try the following steps and let us know if it works?
1. Create a folder in your c: drive (say c:\myjdevhome)
2. Invoke the command prompt, set JDEV_USER_HOME=c:\myjdevhome
3. cd to JDEV_HOME\jdeveloper\jdev\bin
4. Start the jdev (jdev.exe).
5. Run/Debug your application.
-Arun -
Default domain policy got corrupted and can't reverse to old system state?
Initially we had two servers which was 2003 and 2008, after adding additional two more servers (server 2012) in the network and then demoted the old servers. and that was quite while ago. after carefully looking a the default policy I have noticed that there
so many policies was applied on default policy object which led me to disable them and created a backup for both domain controller and the domain policy.
now the problem is stupidly run
dcgpofix thought it will restore the domain policy to it's original state but it did not instead it came up with an empty default policy template and inside there is no security policy which i can edit. However i did tried to restore the old policy which
i backed up but i get an access denied error.
Now i realise that the original default policy was from server 2003 and the current schema domain functional level is 2012. Currently
I can not login to any newly added computers to the domain via domain administrator account.
Please help! Is there any way to create a new default domain policy?Hi thanks for your input,
but that doesn't resolves my issue. However I have managed to fix it by modifying the Default policy systemflags and then run the command gpfixup.exe /ignoreschema /target :domain.com.
and after that I was able to restore my old gp from earlier backup. -
(mac,jdeveloper 11g) can't create a default domain on weblogic - NEWBIE
hello,
I would like tu use jdeveloper so I created a generic project with the purpose of create a jsf page in it.
but I can't deploy it on the weblogic server as I can't create a default domain; here is the log for the error :
Log File: /Users/lolveley/.jdeveloper/system11.1.1.3.37.56.60/o.j2ee.adrs/CreateDefaultDomain.log
Label: JDEVADF_11.1.1.3.PS2_GENERIC_100408.2356.5660
Product Home: /Users/lolveley/Oracle/Middleware/jdeveloper/jdev/
Domain: /Users/lolveley/.jdeveloper/system11.1.1.3.37.56.60/DefaultDomain
"/Users/lolveley/Oracle/Middleware/oracle_common/common/bin/wlst.sh" "/Users/lolveley/.jdeveloper/system11.1.1.3.37.56.60/o.j2ee.adrs/CreateDefaultDomain.py"
Process started
wlst > CLASSPATH=/Users/lolveley/Oracle/Middleware/patch_wls1033/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/Users/lolveley/Oracle/Middleware/patch_jdev1111/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/lib/tools.jar:/Users/lolveley/Oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/Users/lolveley/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/Users/lolveley/Oracle/Middleware/modules/features/weblogic.server.modules_10.3.3.0.jar:/Users/lolveley/Oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/Users/lolveley/Oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/Users/lolveley/Oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar::/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jrf_11.1.1/jrf-api.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/jrf-wlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.odl_11.1.1/ojdl.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.odl_11.1.1/ojdl2.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.dms_11.1.1/dms.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.dconfig-infra_11.1.1.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.fabriccommon_11.1.1/fabric-common.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.xdk_11.1.0/xmlparserv2.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.xdk_11.1.0/xml.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.wsm.common_11.1.1/wsm-pmlib.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.wsm.common_11.1.1/wsm-policy-core.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.wsm.common_11.1.1/wsm-secpol.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.wsm.common_11.1.1/wsm-dependencies.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.wsm.policies_11.1.1/wsm-seed-policies.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.webservices_11.1.1/orawsdl.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.webservices_11.1.1/mdds.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.webservices_11.1.1/ws_confmbeans.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/org.apache.commons.digester_1.8.jar:/Users/lolveley/Oracle/Middleware/oracle_common/../modules/javax.xml.bind_2.1.1.jar:/Users/lolveley/Oracle/Middleware/oracle_common/../modules/javax.activation_1.1.jar:/Users/lolveley/Oracle/Middleware/oracle_common/../modules/javax.xml.stream_1.1.1.0.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.http_client_11.1.1.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jmx_11.1.1/jmxframework.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jmx_11.1.1/jmxspi.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.dconfigbeans_11.1.1.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share.ca_11.1.1/adf-share-base.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share.ca_11.1.1/adf-share-ca.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adflogginghandler.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adfsharembean.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/commons-el.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/jsp-el-api.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/oracle-el.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/auditwlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/sslconfigwlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/oamap_help.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/ossoiap_help.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/jps-wlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.auditprovider_11.1.1/jps-wls-auditprovider.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jps_11.1.1/jps-manifest.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jps_11.1.1/jps-mbeans.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jps_11.1.1/jps-upgrade.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jps_11.1.1/jps-patching.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/lib/adf-share-mbeans-wlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/lib/mdswlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/auditwlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/jps-wlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/jrf-wlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/oamAuthnProvider.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/oamap_help.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/ossoiap.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/ossoiap_help.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/sslconfigwlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/wsm-wlst.jar
wlst >
wlst > PATH=/Users/lolveley/Oracle/Middleware/wlserver_10.3/server/bin:/Users/lolveley/Oracle/Middleware/modules/org.apache.ant_1.7.1/bin:/System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/jre/bin:/System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/bin:/usr/gnu/bin:/usr/local/bin:/bin:/usr/bin:.
wlst >
wlst > Your environment has been set.
wlst >
wlst > CLASSPATH=/Users/lolveley/Oracle/Middleware/patch_wls1033/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/Users/lolveley/Oracle/Middleware/patch_jdev1111/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/lib/tools.jar:/Users/lolveley/Oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/Users/lolveley/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/Users/lolveley/Oracle/Middleware/modules/features/weblogic.server.modules_10.3.3.0.jar:/Users/lolveley/Oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/Users/lolveley/Oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/Users/lolveley/Oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar::/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jrf_11.1.1/jrf-api.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/jrf-wlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.odl_11.1.1/ojdl.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.odl_11.1.1/ojdl2.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.dms_11.1.1/dms.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.dconfig-infra_11.1.1.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.fabriccommon_11.1.1/fabric-common.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.xdk_11.1.0/xmlparserv2.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.xdk_11.1.0/xml.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.wsm.common_11.1.1/wsm-pmlib.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.wsm.common_11.1.1/wsm-policy-core.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.wsm.common_11.1.1/wsm-secpol.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.wsm.common_11.1.1/wsm-dependencies.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.wsm.policies_11.1.1/wsm-seed-policies.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.webservices_11.1.1/orawsdl.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.webservices_11.1.1/mdds.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.webservices_11.1.1/ws_confmbeans.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/org.apache.commons.digester_1.8.jar:/Users/lolveley/Oracle/Middleware/oracle_common/../modules/javax.xml.bind_2.1.1.jar:/Users/lolveley/Oracle/Middleware/oracle_common/../modules/javax.activation_1.1.jar:/Users/lolveley/Oracle/Middleware/oracle_common/../modules/javax.xml.stream_1.1.1.0.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.http_client_11.1.1.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jmx_11.1.1/jmxframework.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jmx_11.1.1/jmxspi.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.dconfigbeans_11.1.1.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share.ca_11.1.1/adf-share-base.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share.ca_11.1.1/adf-share-ca.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adflogginghandler.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adfsharembean.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/commons-el.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/jsp-el-api.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/oracle-el.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/auditwlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/sslconfigwlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/oamap_help.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/ossoiap_help.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/jps-wlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.auditprovider_11.1.1/jps-wls-auditprovider.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jps_11.1.1/jps-manifest.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jps_11.1.1/jps-mbeans.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jps_11.1.1/jps-upgrade.jar:/Users/lolveley/Oracle/Middleware/oracle_common/modules/oracle.jps_11.1.1/jps-patching.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/lib/adf-share-mbeans-wlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/lib/mdswlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/auditwlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/jps-wlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/jrf-wlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/oamAuthnProvider.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/oamap_help.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/ossoiap.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/ossoiap_help.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/sslconfigwlst.jar:/Users/lolveley/Oracle/Middleware/oracle_common/common/wlst/resources/wsm-wlst.jar:/Users/lolveley/Oracle/Middleware/utils/config/10.3/config-launch.jar::/Users/lolveley/Oracle/Middleware/wlserver_10.3/common/derby/lib/derbynet.jar:/Users/lolveley/Oracle/Middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/Users/lolveley/Oracle/Middleware/wlserver_10.3/common/derby/lib/derbytools.jar::
wlst >
wlst > Initializing WebLogic Scripting Tool (WLST) ...
wlst >
wlst > Welcome to WebLogic Server Administration Scripting Shell
wlst >
wlst > Type help() for help on available commands
wlst >
wlst > Error: ADRS_DOMAIN_PASSWORD environment variable not set.
wlst >
wlst >
wlst > Exiting WebLogic Scripting Tool.
wlst >
Elapsed time: 5019 ms
could you help me please?
olivier.hey jan :
I have another issue : I would like to use in jdeveloper JSF and primefaces, which is a component library.
but if JSF works well, I can't install primefaces : I right-click on the properties of my project, add the primefaces jar in the libraries, and add a taglib (<%@ taglib uri="http://primefaces.prime.com.tr/ui" prefix="p" %>) in my JSF page.
but I have an arror while deploying the project.
and (is it a clue?) there is no completion of the "<p: ..." tags;
but there is a window in jdeveloper : http://www.imageshotel.org/images/lolveley/apturede769cran20101017a76813.png that I can't fill ; could you help me by telling me whatr to do?
please
olivier -
Discrepancy in Default Domain Policy
Hello,
About 6 months ago we migrated from DC's running Windows 2003 R2 to Windows 2012 R2. At that time we raised our domain functional level to "Windows Server 2008 R2"
I am trying to audit my Group Policy and have found a problem I am unable to explain. I have installed RSAT tools on my local workstation, and I have been using it to view group policy to perform my audit. Everything was going fine until I came across:
"Default Domain Policy"
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities
However when I attempted to edit the policy to look at the settings, nothing is there, the certificate is just missing.
Furthermore, when I look in the Group Policy Management on the DC, It does not even show "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\TrustedRoot Certification Authorities"
Can anyone explain to me the following:
1. Why does my local workstations RSAT tools show settings that are not reflected on the DC?
2. Why is my RSAT tools showing settings on a certificate the does not exist? Is it because there used to be a cert there when we were using 2k3 domain controllers, and the cert wasn't migrated?
3. How can I fix this so that my RSAT Group Policy Manager on my Workstations is synched with my Domain Controllers?
Thank You in advance for any assistance.
P.S. I had several pictures setup that made the explanation of all this much easier, but I was not allowed to add them because "Body text cannot contain images or links until we are able to verify your account."I have made some interesting discoveries that I think may help future individuals, if they find this posting.
When looking at the picture in my original posting you see that the group policy points to:
"Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted
Root Certification Authorities"
So you would expect that you would navigate to the same path in the GPME (Group Policy Management Editor)
but it turns out, that is not the case, to edit these settings you must navigate to the following:
"Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies" and
double-click on "Certificate Path Validation Settings"
I discovered this information using this technet article:
http://technet.microsoft.com/en-us/library/cc754841.aspx
Under "Managing Trusted Root Certificates for a Domain"
However this does not resolve my original issue, in that it does not explain the discrepancy between RSAT tools and the DC.
Well I have a friend who has almost an identical setup to mine at his company (he is using Server 2012 R1), he checked, and he saw the exact same scenario as I have.
I am unsure if this is by design or a bug in GPO. I would assume that if it was a bug that others would have discovered it by now and written about it, can anyone provide any insight? -
Windows 2012 R2 default domain controllers policy set to enforced
Hi Guys,
So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
previously setup by someone else.
I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
it up at this stage.
One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
Any advise you guys have on this would be greatly appreciated.
David> So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
> and so far everything is running ok.
This does NOT touch any GPOs, so your GPOs are not "migrated" or
something like that - they are still what they were before.
> enforced on my newly migrated domain. At home on my test server i see it
> is not enforced by default and am wondering why this is?
"A sever misunderstanding of how group policy inheritance and link order
works" is the closest reason I see for this. The DDCP is linked to
"Domain Controllers", and as long as you do not create subordinate OUs
there (which I've never seen) and block inheritance on them, there's no
reason to enforce.
To add my experience from the field: When I see enforced GPOs, in most
cases this enforcement is not required. People simply use it because
they do not understand "link order".
> One thing that i did find odd is when i first opened up the GPO's, i was
> prompted with a message which stated that the policies in the sysvol
> folder where not consistent with the ones in AD so i followed its
> recommendation to update.
That's fairly ok and nothing to hassle about.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Default Domain Policy Not Applying Settings to Servers or Clients
I have 2008 R2 DC's with a functioning level of 2003. Our domain servers are a mix of 2003, 2008, 2008 R2, and 2012 and our clients are a mix of Windows 7 Pro and Windows 8.1 Pro.
I recently made a change to the Default Domain Policy located at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
For the Security Policy setting called: Network security: Configure encryption types allowed for Kerberos
The change was to enable DES because of a specific need that I have with an application that I work with but enabling DES and leaving the other options such AES unselected caused other applications to not work right. I decided to revert the changes
back to "Not Defined" but those changes did not reflect on the servers even after running the gpupdate /force command.
In order to keep the application working that broke, we enabled all of the encryption levels such as DES, AES, etc. on the server that's running the application via it's Local Security Policy as a temporary fix.
Now, I want to make sure all servers receive the settings from the Default Domain Policy and have their Local Security Policies reflect the "Not Defined" setting but it's not applying. It seems like they worked when I first applied them but
when I try to remove them it does not work.
If I change the setting directly on the Local Security Policy on the server or clients it shows "No minimum" instead of "Not Defined" which I've heard can be fixed by identifying the registry entry for that setting and deleting it...so
help with the location and how to identify that key would also be helpful.
My goal is not to manually have to change servers and clients to revert back to their default settings...I want the Domain policy to apply and override the servers and client's Local Security Policy.
Any help with this would be greatly appreciated and thank you in advance.I have 2008 R2 DC's with a functioning level of 2003. Our domain servers are a mix of 2003, 2008, 2008 R2, and 2012 and our clients are a mix of Windows 7 Pro and Windows 8.1 Pro.
I recently made a change to the Default Domain Policy located at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
For the Security Policy setting called: Network security: Configure encryption types allowed for Kerberos
refer:
http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx
We needed to implement a similar scenario a few years ago (when we introduced Windows7 into our estate).
We had an SAP/NetWeaver implementation which always worked on WinXP, but failed on Win7.
We had to enable the DES ciphers, since those were disabled by default in Win7. We discovered that we also needed to enable all the other ciphers (those which are enabled by default[not configured]).
i.e., when we changed the setting from "Not Configured", enabled DES, and left the RC4/AES stuff untouched by us, the RC4/AES stuff attracted a status of disabled.
So, we had to set the DES ciphers to Enabled, and, also set the RC4/AES ciphers to Enabled - this gave us the "resultant" enablement of the default stuff and the needed change/addition of DES.
When you set a GP setting "back to Not Configured", depending upon the setting *AND* the individual Windows feature itself - one of two things will happen:
a) the feature will "revert" to default behaviour
b) the feature will retain the current configured behaviour but becomes un-managed
In classic Group Policy terms, condition (b) above is often referred to as "tattooing", i.e., the last GP setting remains in effect even though GPMC/RSOP/etc does not reveal that to be the case.
(This is also a really good example of not doing this sort of stuff in the DDP. It could have borked your whole domain :)
What I'd suggest, is that you re-enable your ciphers for KRB settings again - this time, enable all the ciphers that would normally be "default", let that replicate around, and allow time for domain members to action it.
Then, set the setting back to Not Configured. This way, the "last" settings issued by GP will be those you want to remain as the "legacy".
Note: the GP settings reference s/sheet, has this to say:
Network security: Configure encryption types allowed for Kerberos
This policy setting allows you to set the encryption types that Kerberos is allowed to use.
If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted.
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Reboot domain controller changes audit policy on Default Domain Controller Policy
This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
Thanks and regards.Hi,
>>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was applied after rebooting? Besides, we can also try to run command
auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Default Domain Controller Policy
Hello All,
We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
But would like your advice about any new features which we can applied in our Default Domain Controller
policy.
Thanks.
Thanks HAHi,
>>But would like your advice about any new features which we can applied in our Default Domain
Controller policy.
Regarding this point, the following articles can be referred to as reference.
Chapter 4: Strengthening Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
Applying Selected Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Block Inheritance and Default Domain Policy
Hello to all, I will run a cross-forest migration and target forest has a Default Domain Policy. Target domain is Windows 2003 Functional Level, but has almost all DCs on Windows 2008. As first level OUs represents country codes (USA, GBR, FRA,
etc) and a new country will be created I want to block GPOs from Domain level. The task itself is very easy, just configure "Block Inheritance" on the new country OU. Important: Default Domain Policy is >> not set << to "Enforce"
on target domain.
Question: the security configurations (account, password, local policies) from Default Domain Policy will be blocked? If yes, how domain users below this new country OU will have basic configurations for them (password complexity, password length,
certificates, etc) ?
Regards, EEOC.Question: the security configurations (account, password, local policies) from Default Domain Policy will be blocked? If yes, how domain users below this new country OU will have basic configurations for them (password complexity, password length,
certificates, etc) ?
The Domain security policy for passwords etc, is domain-wide, and cannot be blocked.
It applies to, and is controlled by, the Domain Controllers.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
My default domain policy is blocking Admin account
Hi!
I'm having some trouble... i set up my default domain policy to block control panel
but its blocking my local administrator control panel which i do not want, i've given my administrator rights to the policy
but it doesnt work...
can u help me? thanks!> but its blocking my local administrator control panel which i do not
> want, i've given my administrator rights to the policy
Can you open regedit? Then delete HKCU\Software\Policies and
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
Greetings/Grüße,
Martin
Mal ein
gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me -
coke bottle design refreshment (-: -
Hi Experts,
i have strange issue, users are unable get the policy applied after investigating found out that the default domain policy is missing on dcs in one site, i have checked further for any events relation to journal wrapping to no avail, client pcs recwiving
this error below:
The processing of Group Policy failed. Windows attempted to read the file \\mydomain\SysVol\my
domain.local\Policies\
strange thing is that the replication is working, but only the sysvol replication not working, can someone please advice
OS: Windows 2012 R2> The processing of Group Policy failed. Windows attempted to read the
> file \\mydomain\SysVol\my
> domain.local\Policies\
Replication via DFSR or FRS? Check both eventlogs then follow the action
in the events :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
default domain policy will be applied to all OU's by default? or it needs to linked to each OU's
default domain policy will be applied to all OU's by default? or it needs to linked to each OU's
Yes to all. Let 'Default Domain Policy' be for password policy and account policies. If you REALLY want to apply specific GPO to the whole domain, create
New policy and link it to the domain, but do not append it to the default domain policy unless you are good in documenting them.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?
Maybe you are looking for
-
HT1473 Why can't I transfer my music from my iphone to my iMac mini? Or vice versa?
I have two Apple products, the Mac Mini and an Iphone. But, I can't transfer the music from my mac mini to my iphone (and vice versa) using ITunes, without losing my songs on my iphone. I really want to add the new songs on my Mac mini to my iphone
-
TS4124 playing songs in sequence in a playlist
in a Playlist - songs listed do not play in a sequence --
-
Installing Microsoft 2013 Visio via Intune
I am trying to install microsoft visio using the Office deployment Tool Click and Run. I was able to get Office 2013 to successfully install by it self to over 28 computer with no problem. So I am basically used the same Configuration.xml file but wi
-
Using Timesten with Clusterware
We try to develop new system using Oracle products. Can you answer me some questions - is it possible to use Oracle Timesten with Clusterware? Does it have any sense? So I guess that in this pair TimesTen can't have its advantages. Am I right or not?
-
Anyone else having freezing issues with the new photo app on yosemite?
Whenever i send a pic or video directly from photos....it kinda freezes and won't let you do much more. I have to force quit every time