Solved

Can't Edit Local Computer Policies on Windows Server

Posted on 2004-03-22
7
462 Views
Last Modified: 2010-04-19
Hello,

I have a very small network set up (1 Windows Server 2003 (with Exchange 2003), and several XP workstations).  If I run gpedit.msc or MMC (and add the Local Group Policy snap-in), I am not able to edit any of the policies under Computer Configuration.  For example, I am trying to disable Password Complexity.  When I open the properties of that policy, both options are grayed-out not allowing me to change it.  This is the same for all under Computer Configuration.  I am able to edit the policies under User Configuration though.

I am logged in as the administrator account which is a member of the domain admins and Group Policy Creator Owners groups in AD.  I have also tried creating another account with similar permissions, also no success.

I have tried a few Reg hacks with no success.  

Any ideas?
Thanks.
0
Comment
Question by:djmarik
  • 3
  • 2
7 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
This is normal.

Once the server is made a Domain Controller the local policy now becomes the Default Domain Controller Policy and must be accessed from Active Directory Users and Computers or the Group Policy Management Console.

The Default Domain Policy is what governs Password Complexity.  The unfortunate thing is that once it has been enabled it cannot be rolled back - even if you disable the policy.

0
 

Author Comment

by:djmarik
Comment Utility
In other words, I need to make all policy changes before I promote the server to a domain controller.  There is no way to change these policies once the server is promoted?

Thanks
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Can you tell me exactly what you are trying to accomplish?

Is it lock down the DC because it's being sent offsite?

Let me know and maybe I can do a better job of helping.

0
 

Author Comment

by:djmarik
Comment Utility
I promoted the 2003 Server to be a domain controller.  Now, I want to change some of the policies in the Local Computer Policy (snap-in)  (or by running gpedit.msc).

All of the options are grayed-out.  I can see which option is currently selected, but I'm not allowed to make any changes.  For instance, Password complexity (Enabled or Disabled).  Enabled is selected, but they are both grayed so I can't change them.  I have permission to edit the local computer policy, but still no luck.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
Comment Utility
Ok...forget the concept of Local Policy now - the LSA is no longer active and the server is a DC, so it uses AD now.

Open ADUC.
Expand the Domain.
Expand Domain Controllers OU
Right-click Domain Controllers OU and select Properties.
Select Group Policy tab.
Select the policy then hit the Edit button.

The above procedure is the same as going into the Administrative Tools and selecting the Default Domain Controller Policy.

With respect to the Password Complexity - I'm afraid once it's set no matter what you do after that you will always be forced to use complex passwords.  This is known as "tattooing" the registry - and I have to say, I've never met anyone who can reverse this.  I will be talking to the Developers in Redmond in a few weeks - this is one thing I want to discuss with them.

0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now