Can't Edit Local Computer Policies on Windows Server

Hello,

I have a very small network set up (1 Windows Server 2003 (with Exchange 2003), and several XP workstations).  If I run gpedit.msc or MMC (and add the Local Group Policy snap-in), I am not able to edit any of the policies under Computer Configuration.  For example, I am trying to disable Password Complexity.  When I open the properties of that policy, both options are grayed-out not allowing me to change it.  This is the same for all under Computer Configuration.  I am able to edit the policies under User Configuration though.

I am logged in as the administrator account which is a member of the domain admins and Group Policy Creator Owners groups in AD.  I have also tried creating another account with similar permissions, also no success.

I have tried a few Reg hacks with no success.  

Any ideas?
Thanks.
djmarikAsked:
Who is Participating?
 
Netman66Commented:
Ok...forget the concept of Local Policy now - the LSA is no longer active and the server is a DC, so it uses AD now.

Open ADUC.
Expand the Domain.
Expand Domain Controllers OU
Right-click Domain Controllers OU and select Properties.
Select Group Policy tab.
Select the policy then hit the Edit button.

The above procedure is the same as going into the Administrative Tools and selecting the Default Domain Controller Policy.

With respect to the Password Complexity - I'm afraid once it's set no matter what you do after that you will always be forced to use complex passwords.  This is known as "tattooing" the registry - and I have to say, I've never met anyone who can reverse this.  I will be talking to the Developers in Redmond in a few weeks - this is one thing I want to discuss with them.

0
 
Netman66Commented:
This is normal.

Once the server is made a Domain Controller the local policy now becomes the Default Domain Controller Policy and must be accessed from Active Directory Users and Computers or the Group Policy Management Console.

The Default Domain Policy is what governs Password Complexity.  The unfortunate thing is that once it has been enabled it cannot be rolled back - even if you disable the policy.

0
 
djmarikAuthor Commented:
In other words, I need to make all policy changes before I promote the server to a domain controller.  There is no way to change these policies once the server is promoted?

Thanks
0
 
Netman66Commented:
Can you tell me exactly what you are trying to accomplish?

Is it lock down the DC because it's being sent offsite?

Let me know and maybe I can do a better job of helping.

0
 
djmarikAuthor Commented:
I promoted the 2003 Server to be a domain controller.  Now, I want to change some of the policies in the Local Computer Policy (snap-in)  (or by running gpedit.msc).

All of the options are grayed-out.  I can see which option is currently selected, but I'm not allowed to make any changes.  For instance, Password complexity (Enabled or Disabled).  Enabled is selected, but they are both grayed so I can't change them.  I have permission to edit the local computer policy, but still no luck.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.