Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Can't Edit Local Computer Policies on Windows Server

Posted on 2004-03-22
7
Medium Priority
?
523 Views
Last Modified: 2010-04-19
Hello,

I have a very small network set up (1 Windows Server 2003 (with Exchange 2003), and several XP workstations).  If I run gpedit.msc or MMC (and add the Local Group Policy snap-in), I am not able to edit any of the policies under Computer Configuration.  For example, I am trying to disable Password Complexity.  When I open the properties of that policy, both options are grayed-out not allowing me to change it.  This is the same for all under Computer Configuration.  I am able to edit the policies under User Configuration though.

I am logged in as the administrator account which is a member of the domain admins and Group Policy Creator Owners groups in AD.  I have also tried creating another account with similar permissions, also no success.

I have tried a few Reg hacks with no success.  

Any ideas?
Thanks.
0
Comment
Question by:djmarik
  • 3
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 10653518
This is normal.

Once the server is made a Domain Controller the local policy now becomes the Default Domain Controller Policy and must be accessed from Active Directory Users and Computers or the Group Policy Management Console.

The Default Domain Policy is what governs Password Complexity.  The unfortunate thing is that once it has been enabled it cannot be rolled back - even if you disable the policy.

0
 

Author Comment

by:djmarik
ID: 10658303
In other words, I need to make all policy changes before I promote the server to a domain controller.  There is no way to change these policies once the server is promoted?

Thanks
0
 
LVL 51

Expert Comment

by:Netman66
ID: 10658686
Can you tell me exactly what you are trying to accomplish?

Is it lock down the DC because it's being sent offsite?

Let me know and maybe I can do a better job of helping.

0
 

Author Comment

by:djmarik
ID: 10660053
I promoted the 2003 Server to be a domain controller.  Now, I want to change some of the policies in the Local Computer Policy (snap-in)  (or by running gpedit.msc).

All of the options are grayed-out.  I can see which option is currently selected, but I'm not allowed to make any changes.  For instance, Password complexity (Enabled or Disabled).  Enabled is selected, but they are both grayed so I can't change them.  I have permission to edit the local computer policy, but still no luck.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 1000 total points
ID: 10661820
Ok...forget the concept of Local Policy now - the LSA is no longer active and the server is a DC, so it uses AD now.

Open ADUC.
Expand the Domain.
Expand Domain Controllers OU
Right-click Domain Controllers OU and select Properties.
Select Group Policy tab.
Select the policy then hit the Edit button.

The above procedure is the same as going into the Administrative Tools and selecting the Default Domain Controller Policy.

With respect to the Password Complexity - I'm afraid once it's set no matter what you do after that you will always be forced to use complex passwords.  This is known as "tattooing" the registry - and I have to say, I've never met anyone who can reverse this.  I will be talking to the Developers in Redmond in a few weeks - this is one thing I want to discuss with them.

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question