Re: GPO not picking up computer settings

There could be a problem with replication among domain controllers if you have
more then one and if you do I would run the support tool gpotool to check for
such and when you run the command net accounts on each domain controllers you
should see the same settings. Also do not set any password/account policy
settings to undefined in default domain policy. Set it to exactly what you want.
If a setting was defined before changing it to undefined means no change. After
configuring the settings run gpupdate on the domain controller [assuming Windows
2003 as Windows 2000 uses secedit command to refresh security settings] and then
run the command net accounts to see if it is what you expect. Also make sure
that he default domain policy is still linked to the domain container and
enabled for at least computer configuration and that authenticated users have
read and apply permissions to it in it's properties for security. That is all
default configuration. Running the support tool gpresult on any domain
controller should confirm that default domain policy is applying to the
computer. If "block inheritance" is enabled on the domain controller container
for Group Policy then changes in default domain policy will not apply until it
is removed. If more than one GPO is linked to the domain container then the one
at the top of the list has priority as GPOs are applied from the bottom up as
shown in the list. --- Steve



"Jarryd" <j@xxx> wrote in message news:ObK9DGiWGHA.196@xxxxxxxxxxxxxxxxxxxxxxx
Hi Steve,

Are there any latency issues with the application/enforcement of GPOs. I
have come in this morning and found two users who have been asked to change
their passowrds and when they try to do so, they get hammered with
complexity rules. But there is nothing special about these users, they are
in the same OUs as all the others, so why have only they been affected?
And, I have now gone and deleted the test GPO that I had linked to the test
OU, and I have gone and not defined the setting for account lockout and
passwords in the Default Domain Policy. However, I still can't change the
effective user's password back to what it was originally due to password
settings. This is crazy. So I am thinking that there must be some kind of
latency. Is there a way to force the propogation of policy settings?

TIA,

Jarryd

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uMgpvwcWGHA.3684@xxxxxxxxxxxxxxxxxxxxxxx
Run RSOP mmc snapin against a domain controller to see what it shows for
password settings for domain users and the enforcing GPO which by default
would be domain security policy but as Roger said could be any GPO lined
to the domain container and the higher a GPO is in the list the more
precedence it takes. You can also run net accounts on a domain controller
to see what is shown for password policy settings other than complexity.
Net accounts run on a domain member computer will show the settings for
local user accounts on that computer. The link below explains more and
even though it does not explicitly say so account policies also are
defined in the domain container for Windows 2003 as shown for Windows
2000.. --- Steve

http://support.microsoft.com/kb/259576/


"Jarryd" <j@xxx> wrote in message
news:eM248rYWGHA.3848@xxxxxxxxxxxxxxxxxxxxxxx
OK, I have managed to get the GP Management tool to pick up the settings
and it says that it is applying them in the way that I want them to on
the machine and user against which I ran the test. I went in to the
Local Policy and it has picked up the settings. But when I try to change
there password it lets me do it with less characters that required, it is
not picking up the history of old passwords, and it isn't enforcing
complexity. I really don't understand this.

Please help!!

Jarryd

"Jarryd" <j@xxx> wrote in message
news:e8T1EbYWGHA.5012@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I have created a Group Policy for remote users. The only settings I
have configured are the ones that pertain to passwords and account
lockout. I have moved those users to an OU that is linked to the new
GP, but the settings weren't taking affect. So I generated a report and
it came back saying the policy was empty. But that's just wrong. If I
go in and configure user settings those are picked up, but the computer
settings aren't. Why?

TIA,

Jarryd









.

Relevant Pages

  • Re: Default Domain Controllers Policy ISSUE!!!
    ... GPO's for the Default Domain Controller Security Settings and need help fast. ... Controllers Policy GPO. ...
    (microsoft.public.windows.server.sbs)
  • Re: Group policy - another newbie question
    ... Domain Controller Security Policy is exactly that. ... > settings you see if you open Active Directory ...
    (microsoft.public.win2000.group_policy)
  • Re: Domain Security Policy Versus Domain Controller Security Policy
    ... > Domain Security Policy Versus Domain Controller Security Policy. ... means it takes longer to process the settings. ...
    (microsoft.public.win2000.active_directory)
  • Re: Password expires for no apparent reason
    ... Maximum password age determines how many days a password can be used before the user is required to change it. ... policy that has set the values to what you see below meaning that users ... > Here is net accounts info from local machine ... >> Run net accounts on the client machine to see what the settings are ...
    (microsoft.public.windows.server.active_directory)
  • Re: HELP!!! Unable to logon to Server 2000
    ... Any domain or Organizational Unit Group Policy that is enabled will override ... Local Security Policy defined settings assuming everything is configured ... Security Policy and that will override the Local Security Policy for those ... I would first double check the Domain Controller Security ...
    (microsoft.public.win2000.security)