djmarik
asked on
Can't Edit Local Computer Policies on Windows Server
Hello,
I have a very small network set up (1 Windows Server 2003 (with Exchange 2003), and several XP workstations). If I run gpedit.msc or MMC (and add the Local Group Policy snap-in), I am not able to edit any of the policies under Computer Configuration. For example, I am trying to disable Password Complexity. When I open the properties of that policy, both options are grayed-out not allowing me to change it. This is the same for all under Computer Configuration. I am able to edit the policies under User Configuration though.
I am logged in as the administrator account which is a member of the domain admins and Group Policy Creator Owners groups in AD. I have also tried creating another account with similar permissions, also no success.
I have tried a few Reg hacks with no success.
Any ideas?
Thanks.
I have a very small network set up (1 Windows Server 2003 (with Exchange 2003), and several XP workstations). If I run gpedit.msc or MMC (and add the Local Group Policy snap-in), I am not able to edit any of the policies under Computer Configuration. For example, I am trying to disable Password Complexity. When I open the properties of that policy, both options are grayed-out not allowing me to change it. This is the same for all under Computer Configuration. I am able to edit the policies under User Configuration though.
I am logged in as the administrator account which is a member of the domain admins and Group Policy Creator Owners groups in AD. I have also tried creating another account with similar permissions, also no success.
I have tried a few Reg hacks with no success.
Any ideas?
Thanks.
ASKER
In other words, I need to make all policy changes before I promote the server to a domain controller. There is no way to change these policies once the server is promoted?
Thanks
Thanks
Can you tell me exactly what you are trying to accomplish?
Is it lock down the DC because it's being sent offsite?
Let me know and maybe I can do a better job of helping.
Is it lock down the DC because it's being sent offsite?
Let me know and maybe I can do a better job of helping.
ASKER
I promoted the 2003 Server to be a domain controller. Now, I want to change some of the policies in the Local Computer Policy (snap-in) (or by running gpedit.msc).
All of the options are grayed-out. I can see which option is currently selected, but I'm not allowed to make any changes. For instance, Password complexity (Enabled or Disabled). Enabled is selected, but they are both grayed so I can't change them. I have permission to edit the local computer policy, but still no luck.
All of the options are grayed-out. I can see which option is currently selected, but I'm not allowed to make any changes. For instance, Password complexity (Enabled or Disabled). Enabled is selected, but they are both grayed so I can't change them. I have permission to edit the local computer policy, but still no luck.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Once the server is made a Domain Controller the local policy now becomes the Default Domain Controller Policy and must be accessed from Active Directory Users and Computers or the Group Policy Management Console.
The Default Domain Policy is what governs Password Complexity. The unfortunate thing is that once it has been enabled it cannot be rolled back - even if you disable the policy.