Windows 2003 Password Policy Ignored in Default Domain Policy
Hi there I've a problem on my DC.
i set in the "default domain policy" the settings form the policy password lenght complexity etc etc..
When i RUN Group policy modelling simulation i cannot view the settings of Windows Settings\Security Settings\account policy\password policy
the scope of the GPO is Authenticated
the GPO seems to be ignored for the security settings but not for the other parameters like kerberos security.
Any Idea to solve this issue?
Hi Federico,
>>i cannot view the settings of Windows Settings\Security Settings\account policy\password policy
What do this mean? Does this mean that we can’t see the password policy in the modeling, or that we can’t see the change we made to the password policy? Besides, were there
error messages displayed in the modeling?
In addition, we can try running the Group Policy Modeling Wizard again to see if the issue persist.
Best regards,
Frank Shen
Similar Messages
-
Removing Windows 2003 Group Policy user settings
I'm having a difficult time finding what to do.
I have a windows 2003 domain with many GP settings. One of which I can't find. It has to do with the favorites bar in IE. When a user from a certain OU logs on to any computer with any Windows OS, any favorites saved either to their Favorites
bar, or even in the Favorites folder, disappear on next logon. This happens all the time.
I thought I would create another OU with a BLANK GP and blocked inheritance. I moved a user from the original OU into the test OU, replicated the changes, and rebooted the computer on which the user would log on. The user logged on and the settings
from the original OU still applied.
I created a completely new user in the test OU and no settings were applied, which is what I want.
What is the best way to remove the original OU settings from a user that was in that original OU?
Thank you for any helpThanks for the quick response. There are no scripts that run with the former GPO.
I did run RSOP.MSC from the test computer and received an error about not being able to read the computer settings, but the user settings were displayed. The settings the account received were from "Software Restriction Policy" and "Public
Key Policy". Nothing shows about any IE settings. I'm at a loss as to why this is happening and where these dang policies are coming from.
I've even gone as far as to go to the original GPO, and in Delegation, deny the Apply Group Policy permission to the user.
And the only policy that is applying is the test policy. The others show as either Disabled(link), or Blocked(SOM). -
Block Inheritance and Default Domain Policy
Hello to all, I will run a cross-forest migration and target forest has a Default Domain Policy. Target domain is Windows 2003 Functional Level, but has almost all DCs on Windows 2008. As first level OUs represents country codes (USA, GBR, FRA,
etc) and a new country will be created I want to block GPOs from Domain level. The task itself is very easy, just configure "Block Inheritance" on the new country OU. Important: Default Domain Policy is >> not set << to "Enforce"
on target domain.
Question: the security configurations (account, password, local policies) from Default Domain Policy will be blocked? If yes, how domain users below this new country OU will have basic configurations for them (password complexity, password length,
certificates, etc) ?
Regards, EEOC.Question: the security configurations (account, password, local policies) from Default Domain Policy will be blocked? If yes, how domain users below this new country OU will have basic configurations for them (password complexity, password length,
certificates, etc) ?
The Domain security policy for passwords etc, is domain-wide, and cannot be blocked.
It applies to, and is controlled by, the Domain Controllers.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Windows 2003 Server Domain Login issues
We have installed Windows 2008 R2 Servers in our existing environment which was running on Windows 2003 R2. I have configured Windows 2008 as DNS and Global Catalog Server, transferred all the FSMO roles to new Server and tested all the clients were
able to logon to the Domain controller with not issues. Added one more Windows 2008 R2 Server as and ADC before completing demoting the Windows 2003 R2 Domain controller. For a test phase I have shutdown the Windows 2003 R2 DC and noticed that
few of the member Servers running Windows 2003 OS are not login to Domain whereas Windows 2008 Member Servers, Windows XP, 7 and 8 machines are able to login to domain. Once I bring up the Windows 2003 R2 DC those machines are able to login to the Domain.Hi shujathmsa,
à
For a test phase I have shutdown the Windows 2003 R2 DC and noticed that few of the member Servers running Windows 2003 OS are not login to Domain
Based on your description, it seems that this issue just occurred in Windows Server 2003. Would you please
let me know the complete error message that you can get when join Windows Server 2003 to the domain?
Meanwhile, please follow the path:
C:\Windows\debug folder and check NetSetup.LOG file if find some relevant clues.
If any update, please feel free to let us know.
Hope this helps.
Best regards,
Justin Gu -
Windows 8 and Default Domain Policy modification issue
Hi,
I'm unable to edit the default domain policy from my new Windows 8 desktop. It's the only Win8 in the environment so I'm not able to easily test another one unfortunately. The error I receive is:
Group Policy Error
Failed to open the Group Policy Object. You might not have the appropriate rights.
Details: The volume for a file has been externally altered so that the opened file is no longer valid.
I have checked from a Win7 and a 2003 machine and can access and edit the GPO without issue using the same account. The Win8 desktop is a fresh install with the RSAT tools installed, Exchange 2010 tools and a few basic applicaitons (non of which stick
out as having anything to do with AD management).
It only occurs if I click edit on the GPO. I'm able to successfully view the policy and edit the permissions etc. Have rebooted and the machine is current with patches as of now.
thanks
Andy
Cheers AndyHi,
According to your description, the issue only occurred when you click to edit the GPO. And only occurred on Windows 8. I would like suggest you to follow below suggestions to narrow down the issue:
1. Check out whether the issue only occurred to Default domain policy object.
2. Test on another new installed Windows 8 client with only RSAT installed.
3. Create another new account and add it to domain admin group to test again.
4. Run dcdiag on DCs to check out whether the replications work fine.
Hope this helps.
Regards,
Yan Li
If you have any feedback on our support, please click
here
Cataleya Li
TechNet Community Support -
Windows 2012 R2 default domain controllers policy set to enforced
Hi Guys,
So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
previously setup by someone else.
I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
it up at this stage.
One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
Any advise you guys have on this would be greatly appreciated.
David> So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
> and so far everything is running ok.
This does NOT touch any GPOs, so your GPOs are not "migrated" or
something like that - they are still what they were before.
> enforced on my newly migrated domain. At home on my test server i see it
> is not enforced by default and am wondering why this is?
"A sever misunderstanding of how group policy inheritance and link order
works" is the closest reason I see for this. The DDCP is linked to
"Domain Controllers", and as long as you do not create subordinate OUs
there (which I've never seen) and block inheritance on them, there's no
reason to enforce.
To add my experience from the field: When I see enforced GPOs, in most
cases this enforcement is not required. People simply use it because
they do not understand "link order".
> One thing that i did find odd is when i first opened up the GPO's, i was
> prompted with a message which stated that the policies in the sysvol
> folder where not consistent with the ones in AD so i followed its
> recommendation to update.
That's fairly ok and nothing to hassle about.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Windows 8.1 cannot change password in Windows 2003 domain level domain
On several installations of windows 8.1 enterprise, users cannot change passwords by using <ctrl> + <al> + <del> keys and choosing change password.
The error is: "The security database on the server does not have a computer account for this workstation trust relationship"
Fresh Windows 8.1 enterprise installs with no patches to fully patched windows 8.1 enterprise workstations have the problem. Backed out patches one by one and tested password change without success. Tried various dell laptops, tablets, and workstations
but same issue. Tried VMware guest workstation with windows 8.1 enterprise. The domain functional level is 2003 with a mixture of Windows 2008 R2 DC's and Windows 2003 DC's.
The add/remove from domain did not help. What troubleshooting steps should I take from this point? Is this related to secure channel failures? Note: did not find event log entries for the failures in the DC's nor on the workstation.
Perhaps I did not search for the proper entry on the DC's.Hi,
Please find below several possible cause of error “The security database on the server does
not have a computer account for this workstation trust relationship”
Secure channel is broken (Can fix by rejoin problematic client to domain)
AD replication issue. The computer account exists on one domain controller but not others.
Duplicated SPN (seems not possible)
So, to narrow down the issue, you need to make sure the AD replication is working fine. Please run command
repadmin /showrepl * on a DC, then post the result here.
After that, please run
set l on a problematic client, then post the result here.
Moreover, please check on system event log and check if there have any related error of the issue.
Thanks. -
Can't edit default domain controllers policy on windows 8 or server 2012
I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine. I can edit and save changes fine from a Windows 7 machine. The domain controllers are running Windows 2012 Standard upgraded
from Windows 2008 R2. Is there a security setting I am missing?Posting the resolution from the other thread. Hope it helps!
I just accidentally resolved this issue today. I added the GPMC to a 2008 R2 server so I could make a needed firewall
change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile). About an hour later, I forgot I was using my Windows 8 machine and I went
to edit the Default Domain Controllers GPO and opened for edit without a problem. I can now edit it from Windows 8 and from Windows Server 2012. Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
editing the GPO once from a 2008 R2 machine. -
Experts,
We have windows server 2003 domain functional level and password policy is defined in Default domain policy. Now our password policy does not have Max pswd age and min pswd age settings defined. So we want to test these settings.
I created a new GPO and just defined those two policies and linked it to a test OU. Moved the required computer to that OU. I read computer should be in that OU and not the user. It is not getting applied. I have two questions:
1. Even those two settings are not defined in default password policy, can we create a separate policy for that? or all password policy settings has to be defined in 1 GPO?
2. OU where we want to test this password policy, should have computer, user or both in that OU?
Appreciate any help!!!!Hello,
password and account lockout settings MUST be configured on domain level. On OU it has not any effect for domain users logging on to domain machines. 3rd party tools may still exist that provide that option.
For additional settings you need Windows Server 2008 or higher then you can use Fine grained password policy settings for security groups and user accounts.
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. -
How do I move the policy from Default domain policy to a custom policy.
I want to implement a new password policy. In the past we had a fairly loose policy, now I want to implement minimum length and complexity. I know how to set this up in Computer Config Policies windows settings security settings and account policies
password policy. However after I set it up I notice that it is not being applied. I have run gpupdate, and even waited several days but still it's not taking effect. I have created what im calling a custom gpo calling it "password policy".
It is situated under domains/mydomain.com . There are a number of other policies here.
When I run gpresult /h c:\temp\gpreport.html its all a bit confusing. It looks like it being applied but then further down it says under Group policies Applied GPOs Denied GPOs Pssword Policy mydomain.com empty. ??
But let me ask this first off .
The previous administrator I think has the password policy set up in the "default domain policy"
Is it possible that the default domain policy which IS indeed set differently is overriding my custom "password policy"
If this is so how can I make it so my custom password policy is applied over the default domain policy.
Or what other answers could it be.Hi,
Based on your requirement you can create Fine Grained Password Policies.
This feature introduced in Windows Server 2008 allows you to override password policy set at the Default Domain Policy for specific users or groups.
Checkout the below link for creating Fine Grained Password Policies from GUI in Windows Server 2012,
http://blogs.technet.com/b/reference_point/archive/2013/04/12/fine-grained-password-policies-gui-in-windows-server-2012-adac.aspx
Regards,
Gopi
JiJi
Technologies -
Broken Default Domain Policy! GPOFIX Doesn't work
Justin1250 wrote:
So I noticed that command prompt is open in the users directory.
Did you right click on the command window and run as administrator?
It should run from the system directory as an admin.Yes I did. I just made sure again to run it as admin. Same result.I've spent hours and hours trying to fix this but can't. I seem to have located the problem where the default domain policy has lost is child associated with the GUID in AD/Registry. None of the tools seem to work, and I can't delete and recreate it because it thinks it doesn't exist and because Microsoft has engineered it to not be removable. This would be fine if it wasn't corrupted. I've read on some forums that the in-ability to delete a policy object is due to permissions issues. However, that isn't the issue in my case.I've tried THISwhich didn't work.I recently did a test migration to 2012 from 2003, and was hoping when I migrated the data that the GPO wouldn't transfer it's corrupted data, but I was wrong :-/The pictures below should illustrate more detail than I could describe.GPOFIX ToolActive Directory showing that the GUID...
This topic first appeared in the Spiceworks Community -
Discrepancy in Default Domain Policy
Hello,
About 6 months ago we migrated from DC's running Windows 2003 R2 to Windows 2012 R2. At that time we raised our domain functional level to "Windows Server 2008 R2"
I am trying to audit my Group Policy and have found a problem I am unable to explain. I have installed RSAT tools on my local workstation, and I have been using it to view group policy to perform my audit. Everything was going fine until I came across:
"Default Domain Policy"
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities
However when I attempted to edit the policy to look at the settings, nothing is there, the certificate is just missing.
Furthermore, when I look in the Group Policy Management on the DC, It does not even show "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\TrustedRoot Certification Authorities"
Can anyone explain to me the following:
1. Why does my local workstations RSAT tools show settings that are not reflected on the DC?
2. Why is my RSAT tools showing settings on a certificate the does not exist? Is it because there used to be a cert there when we were using 2k3 domain controllers, and the cert wasn't migrated?
3. How can I fix this so that my RSAT Group Policy Manager on my Workstations is synched with my Domain Controllers?
Thank You in advance for any assistance.
P.S. I had several pictures setup that made the explanation of all this much easier, but I was not allowed to add them because "Body text cannot contain images or links until we are able to verify your account."I have made some interesting discoveries that I think may help future individuals, if they find this posting.
When looking at the picture in my original posting you see that the group policy points to:
"Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted
Root Certification Authorities"
So you would expect that you would navigate to the same path in the GPME (Group Policy Management Editor)
but it turns out, that is not the case, to edit these settings you must navigate to the following:
"Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies" and
double-click on "Certificate Path Validation Settings"
I discovered this information using this technet article:
http://technet.microsoft.com/en-us/library/cc754841.aspx
Under "Managing Trusted Root Certificates for a Domain"
However this does not resolve my original issue, in that it does not explain the discrepancy between RSAT tools and the DC.
Well I have a friend who has almost an identical setup to mine at his company (he is using Server 2012 R1), he checked, and he saw the exact same scenario as I have.
I am unsure if this is by design or a bug in GPO. I would assume that if it was a bug that others would have discovered it by now and written about it, can anyone provide any insight? -
Default Domain Policy Not Applying Settings to Servers or Clients
I have 2008 R2 DC's with a functioning level of 2003. Our domain servers are a mix of 2003, 2008, 2008 R2, and 2012 and our clients are a mix of Windows 7 Pro and Windows 8.1 Pro.
I recently made a change to the Default Domain Policy located at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
For the Security Policy setting called: Network security: Configure encryption types allowed for Kerberos
The change was to enable DES because of a specific need that I have with an application that I work with but enabling DES and leaving the other options such AES unselected caused other applications to not work right. I decided to revert the changes
back to "Not Defined" but those changes did not reflect on the servers even after running the gpupdate /force command.
In order to keep the application working that broke, we enabled all of the encryption levels such as DES, AES, etc. on the server that's running the application via it's Local Security Policy as a temporary fix.
Now, I want to make sure all servers receive the settings from the Default Domain Policy and have their Local Security Policies reflect the "Not Defined" setting but it's not applying. It seems like they worked when I first applied them but
when I try to remove them it does not work.
If I change the setting directly on the Local Security Policy on the server or clients it shows "No minimum" instead of "Not Defined" which I've heard can be fixed by identifying the registry entry for that setting and deleting it...so
help with the location and how to identify that key would also be helpful.
My goal is not to manually have to change servers and clients to revert back to their default settings...I want the Domain policy to apply and override the servers and client's Local Security Policy.
Any help with this would be greatly appreciated and thank you in advance.I have 2008 R2 DC's with a functioning level of 2003. Our domain servers are a mix of 2003, 2008, 2008 R2, and 2012 and our clients are a mix of Windows 7 Pro and Windows 8.1 Pro.
I recently made a change to the Default Domain Policy located at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
For the Security Policy setting called: Network security: Configure encryption types allowed for Kerberos
refer:
http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx
We needed to implement a similar scenario a few years ago (when we introduced Windows7 into our estate).
We had an SAP/NetWeaver implementation which always worked on WinXP, but failed on Win7.
We had to enable the DES ciphers, since those were disabled by default in Win7. We discovered that we also needed to enable all the other ciphers (those which are enabled by default[not configured]).
i.e., when we changed the setting from "Not Configured", enabled DES, and left the RC4/AES stuff untouched by us, the RC4/AES stuff attracted a status of disabled.
So, we had to set the DES ciphers to Enabled, and, also set the RC4/AES ciphers to Enabled - this gave us the "resultant" enablement of the default stuff and the needed change/addition of DES.
When you set a GP setting "back to Not Configured", depending upon the setting *AND* the individual Windows feature itself - one of two things will happen:
a) the feature will "revert" to default behaviour
b) the feature will retain the current configured behaviour but becomes un-managed
In classic Group Policy terms, condition (b) above is often referred to as "tattooing", i.e., the last GP setting remains in effect even though GPMC/RSOP/etc does not reveal that to be the case.
(This is also a really good example of not doing this sort of stuff in the DDP. It could have borked your whole domain :)
What I'd suggest, is that you re-enable your ciphers for KRB settings again - this time, enable all the ciphers that would normally be "default", let that replicate around, and allow time for domain members to action it.
Then, set the setting back to Not Configured. This way, the "last" settings issued by GP will be those you want to remain as the "legacy".
Note: the GP settings reference s/sheet, has this to say:
Network security: Configure encryption types allowed for Kerberos
This policy setting allows you to set the encryption types that Kerberos is allowed to use.
If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted.
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Reboot domain controller changes audit policy on Default Domain Controller Policy
This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
Thanks and regards.Hi,
>>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was applied after rebooting? Besides, we can also try to run command
auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Default Domain Controller Policy
Hello All,
We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
But would like your advice about any new features which we can applied in our Default Domain Controller
policy.
Thanks.
Thanks HAHi,
>>But would like your advice about any new features which we can applied in our Default Domain
Controller policy.
Regarding this point, the following articles can be referred to as reference.
Chapter 4: Strengthening Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
Applying Selected Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Maybe you are looking for
-
Can't send a jpeg to PS2014 because it can't find Photoshop CS2?
When downloading photos with bridge it used to open automaticly to the camera that I was using but the fact that double clicking the file in Bridge won't send it to PScc 2014 with a panel saying it needs Photoshop CS2. exe Bill Fox All this used t
-
When im installing cs6 on my laptop, im getting a error that says u need to reboot your laptop to continue the installation. So i did that end the installtion of cs6 freezes. I tryed this 6 times already on the same laptop, It runs windows 8 and it i
-
Also, How do I put up a screen grab here@
-
Two movies that I have rented on my ipad wouldn't play to my appleTV.
I get sounds and error message "The connected display is not authorised to play movie". I get sound but picture only for a split second, then blank and the error message above. Tried some fixes suggested online but didn't work. Thanks for refund, but
-
Dead pixel's 1 hour after purchase?!?!
So, i finally went and got an iphone 4 earlier today. but when i got home to turn it on, it had about 50 dead pixels all the way around the screen! is this covered in returns/warranty?