Solved

Can't Edit Local Computer Policies on Windows Server

Posted on 2004-03-22
7
488 Views
Last Modified: 2010-04-19
Hello,

I have a very small network set up (1 Windows Server 2003 (with Exchange 2003), and several XP workstations).  If I run gpedit.msc or MMC (and add the Local Group Policy snap-in), I am not able to edit any of the policies under Computer Configuration.  For example, I am trying to disable Password Complexity.  When I open the properties of that policy, both options are grayed-out not allowing me to change it.  This is the same for all under Computer Configuration.  I am able to edit the policies under User Configuration though.

I am logged in as the administrator account which is a member of the domain admins and Group Policy Creator Owners groups in AD.  I have also tried creating another account with similar permissions, also no success.

I have tried a few Reg hacks with no success.  

Any ideas?
Thanks.
0
Comment
Question by:djmarik
  • 3
  • 2
7 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 10653518
This is normal.

Once the server is made a Domain Controller the local policy now becomes the Default Domain Controller Policy and must be accessed from Active Directory Users and Computers or the Group Policy Management Console.

The Default Domain Policy is what governs Password Complexity.  The unfortunate thing is that once it has been enabled it cannot be rolled back - even if you disable the policy.

0
 

Author Comment

by:djmarik
ID: 10658303
In other words, I need to make all policy changes before I promote the server to a domain controller.  There is no way to change these policies once the server is promoted?

Thanks
0
 
LVL 51

Expert Comment

by:Netman66
ID: 10658686
Can you tell me exactly what you are trying to accomplish?

Is it lock down the DC because it's being sent offsite?

Let me know and maybe I can do a better job of helping.

0
 

Author Comment

by:djmarik
ID: 10660053
I promoted the 2003 Server to be a domain controller.  Now, I want to change some of the policies in the Local Computer Policy (snap-in)  (or by running gpedit.msc).

All of the options are grayed-out.  I can see which option is currently selected, but I'm not allowed to make any changes.  For instance, Password complexity (Enabled or Disabled).  Enabled is selected, but they are both grayed so I can't change them.  I have permission to edit the local computer policy, but still no luck.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 10661820
Ok...forget the concept of Local Policy now - the LSA is no longer active and the server is a DC, so it uses AD now.

Open ADUC.
Expand the Domain.
Expand Domain Controllers OU
Right-click Domain Controllers OU and select Properties.
Select Group Policy tab.
Select the policy then hit the Edit button.

The above procedure is the same as going into the Administrative Tools and selecting the Default Domain Controller Policy.

With respect to the Password Complexity - I'm afraid once it's set no matter what you do after that you will always be forced to use complex passwords.  This is known as "tattooing" the registry - and I have to say, I've never met anyone who can reverse this.  I will be talking to the Developers in Redmond in a few weeks - this is one thing I want to discuss with them.

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now