How can I Find out what's overwritting my group policies in W2K?

Posted on 2004-09-16
Last Modified: 2010-04-13
i have a password group policy in place on a DC that is also Schema owner, Domain role owner, PDC role, RID pool manager, Infrastructure owner - however, these policies seem to keep getting overwritten by another machine and I'm at a loss as to find out which DC is overwriting it.  I've looked at the event logs for replication conflicts but there's nothing there that would indicate any problems

how can i find out what's causing this policy to be overwritten like this?  it seems to happen every 90 minutes or so and is causing me to tear my hair out as I'm currently unable to implement this policy effectively.
Question by:tonybushell
  • 3
  • 3
  • 2

Expert Comment

ID: 12080455
you say they are being overwritten,  where is it that you are seing this?  on the clients ?  or from within the group policy management snapin in the actual group policy object??

just need a little clarification..




Expert Comment

ID: 12080742
Sounds like you are saying the DC is getting over writen.  Not sure but download GPMC snap in and run result of policy.
Here is the link to download.


Author Comment

ID: 12089036
hey Tane,

i'm seeing this from the Active Directory Users & Computers MMC plug-in on the DC where we are making this change - if i change the policy there, it seems ok for an indeterminite period and then it resets itself - all changes go back to the defaults.


Expert Comment

ID: 12091994

AD computers and users>properties>GPO>edit?  Or are you using the GPMC?

What settings are being change or are all setings being change?

90 min is the defult refresh rate.

What police are you setting the "password" policy with?
is this policy for the whole domain and then a higher level for you DC?

Are you using the defult domain or defult domain controller group policy object or did you create a new one?

If you manually refresh the policy does it work?

Let me know, I have had some long hard fights with GPO's and one everytime...  SO FAR... LOL

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.


Expert Comment

ID: 12101325

I think Kelo is on the right track, it sounds like there is a policy that is being forced down from higher in the AD tree.


Author Comment

ID: 12102869
hey Kelo, thanks for the response - ok, to try and answer this as clearly as possible -

* Yes, I'm going AD computers and users>properties>GPO>edit, although I do have the GPMC downloaded and running on another machine
* All settings are being changed back to the defaults
* 90 mins = refresh rate - thanks!  (i had thought it was 60, couldn't figure out what this extra delay was)
* The desired policy is: Enforce 4 passwords, Maximum age 90 days, Mim age 0, Minimum Length 6, Complex Passwords Enabled
* Yes, this password is for the whole domain, and is being set on the DC that is also Schema/Infrastructure owner
* Using the Default Policy Object - have toyed with deleting it and starting again but was a little hesitant
* Yep, manual refresh works just fine, until it gets reset - if i change the policy from the standard settings to those desired, it works like a charm - however, within 90 minutes it's reset.

thanks Kelo & Tanelorn for all your help so far - I have a test W2K/AD domain both here at work and at home and this works flawlessly on both, it's just driving me batty trying to figure out WHAT is overriding this policy :(

Accepted Solution

kelo501 earned 250 total points
ID: 12112120
OK in the GPMC there is a result of policy tool.

Read this white paper and try it out.

Group Policy Results
This feature allows administrators to determine the resultant set of policy that was applied to a given computer and (optionally) user that logged on to that computer. The data that is presented is similar to Group Policy Modeling data, however, unlike Group Policy Modeling, this data is not a simulation. It is the actual resultant set of policy data obtained from the target computer. Unlike Group Policy Modeling, the data from Group Policy Results is obtained from the client, and is not simulated on the DC. The client must be running Windows XP, Windows Server 2003 or later. It is not possible to get Group Policy Results data for a Windows 2000 computer. (However, with Group Policy Modeling, you can simulate the RSoP data).
Note: Technically, a Windows Server 2003 DC is not required to access Group Policy Results. However, by default, only users with local admin privileges on the target computer can remotely access Group Policy Results data. This can be delegated to additional users (as previously described), however, the ability to delegate RSoP data is only available in Active Directory forests that have the Windows Server 2003 schema (for example, you have run ADPrep /ForestPrep) in that forest.
Each Group Policy Results query is represented by a node in the tree view under the Group Policy Results container. Each node has three tabs:
•      Summary – this is analogous to the information shown for the corresponding tab on a Group Policy Modeling node. In particular, this page shows the component status for the various Group Policy extensions. This information tells you whether there were any issues with a particular extension and is a good place to begin troubleshooting.
•      Settings – this is analogous to the information shown for the corresponding tab on a Group Policy Modeling node.
•      Events – this tab shows all policy-related events from the target computer (see Figure 29). Note that to gather this data, the user performing the query must have access to remotely view the event log. By default, this access is granted to all users on Windows XP, but not on Windows Server 2003. This data is useful for troubleshooting Group Policy issues. For example if the summary report indicates that a particular Group Policy component failed to process, you may be able to determine why by looking for errors and warnings in the event log.

This is from the white paper but you should read the whole thing..

Let me know how it goes.


Author Comment

ID: 12113431
i was running this yesterday and when looking in the Group Policy Results I see that there are two Denied GPO's - of particular interest is the one i created for this password policy and it says the reason it was denied was because it was "empty" - for which i'm still looking for a decent explanation

as it stands, i have the password policy defined separately and linked to the domain and this appears to be working - however, i'm kind of nervous about having a solution in place that seems like a "McGuyver fix" - I currently feel that as I can't find out why these changes wouldn't stick in the Default Domain POlicy, that I still have a problem, even if I've gotten it to do what i want.

so, any ohter suggestiosn would be very welcome - and Kelo, i have that white-paper printer out, will be reading it later, thanks a bundle for the recommendation :)

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cursor typing problems 5 37
Cursed with a Windows 2000 Server that needs to copy files 3 707
Making a spare domain pc 12 323
cant not receive emails, due to low disk space. 16 255
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now