How can I Find out what's overwritting my group policies in W2K?

i have a password group policy in place on a DC that is also Schema owner, Domain role owner, PDC role, RID pool manager, Infrastructure owner - however, these policies seem to keep getting overwritten by another machine and I'm at a loss as to find out which DC is overwriting it.  I've looked at the event logs for replication conflicts but there's nothing there that would indicate any problems

how can i find out what's causing this policy to be overwritten like this?  it seems to happen every 90 minutes or so and is causing me to tear my hair out as I'm currently unable to implement this policy effectively.
Who is Participating?
kelo501Connect With a Mentor Commented:
OK in the GPMC there is a result of policy tool.

Read this white paper and try it out.

Group Policy Results
This feature allows administrators to determine the resultant set of policy that was applied to a given computer and (optionally) user that logged on to that computer. The data that is presented is similar to Group Policy Modeling data, however, unlike Group Policy Modeling, this data is not a simulation. It is the actual resultant set of policy data obtained from the target computer. Unlike Group Policy Modeling, the data from Group Policy Results is obtained from the client, and is not simulated on the DC. The client must be running Windows XP, Windows Server 2003 or later. It is not possible to get Group Policy Results data for a Windows 2000 computer. (However, with Group Policy Modeling, you can simulate the RSoP data).
Note: Technically, a Windows Server 2003 DC is not required to access Group Policy Results. However, by default, only users with local admin privileges on the target computer can remotely access Group Policy Results data. This can be delegated to additional users (as previously described), however, the ability to delegate RSoP data is only available in Active Directory forests that have the Windows Server 2003 schema (for example, you have run ADPrep /ForestPrep) in that forest.
Each Group Policy Results query is represented by a node in the tree view under the Group Policy Results container. Each node has three tabs:
•      Summary – this is analogous to the information shown for the corresponding tab on a Group Policy Modeling node. In particular, this page shows the component status for the various Group Policy extensions. This information tells you whether there were any issues with a particular extension and is a good place to begin troubleshooting.
•      Settings – this is analogous to the information shown for the corresponding tab on a Group Policy Modeling node.
•      Events – this tab shows all policy-related events from the target computer (see Figure 29). Note that to gather this data, the user performing the query must have access to remotely view the event log. By default, this access is granted to all users on Windows XP, but not on Windows Server 2003. This data is useful for troubleshooting Group Policy issues. For example if the summary report indicates that a particular Group Policy component failed to process, you may be able to determine why by looking for errors and warnings in the event log.

This is from the white paper but you should read the whole thing..

Let me know how it goes.

you say they are being overwritten,  where is it that you are seing this?  on the clients ?  or from within the group policy management snapin in the actual group policy object??

just need a little clarification..



Sounds like you are saying the DC is getting over writen.  Not sure but download GPMC snap in and run result of policy.
Here is the link to download.

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

tonybushellAuthor Commented:
hey Tane,

i'm seeing this from the Active Directory Users & Computers MMC plug-in on the DC where we are making this change - if i change the policy there, it seems ok for an indeterminite period and then it resets itself - all changes go back to the defaults.


AD computers and users>properties>GPO>edit?  Or are you using the GPMC?

What settings are being change or are all setings being change?

90 min is the defult refresh rate.

What police are you setting the "password" policy with?
is this policy for the whole domain and then a higher level for you DC?

Are you using the defult domain or defult domain controller group policy object or did you create a new one?

If you manually refresh the policy does it work?

Let me know, I have had some long hard fights with GPO's and one everytime...  SO FAR... LOL


I think Kelo is on the right track, it sounds like there is a policy that is being forced down from higher in the AD tree.

tonybushellAuthor Commented:
hey Kelo, thanks for the response - ok, to try and answer this as clearly as possible -

* Yes, I'm going AD computers and users>properties>GPO>edit, although I do have the GPMC downloaded and running on another machine
* All settings are being changed back to the defaults
* 90 mins = refresh rate - thanks!  (i had thought it was 60, couldn't figure out what this extra delay was)
* The desired policy is: Enforce 4 passwords, Maximum age 90 days, Mim age 0, Minimum Length 6, Complex Passwords Enabled
* Yes, this password is for the whole domain, and is being set on the DC that is also Schema/Infrastructure owner
* Using the Default Policy Object - have toyed with deleting it and starting again but was a little hesitant
* Yep, manual refresh works just fine, until it gets reset - if i change the policy from the standard settings to those desired, it works like a charm - however, within 90 minutes it's reset.

thanks Kelo & Tanelorn for all your help so far - I have a test W2K/AD domain both here at work and at home and this works flawlessly on both, it's just driving me batty trying to figure out WHAT is overriding this policy :(
tonybushellAuthor Commented:
i was running this yesterday and when looking in the Group Policy Results I see that there are two Denied GPO's - of particular interest is the one i created for this password policy and it says the reason it was denied was because it was "empty" - for which i'm still looking for a decent explanation

as it stands, i have the password policy defined separately and linked to the domain and this appears to be working - however, i'm kind of nervous about having a solution in place that seems like a "McGuyver fix" - I currently feel that as I can't find out why these changes wouldn't stick in the Default Domain POlicy, that I still have a problem, even if I've gotten it to do what i want.

so, any ohter suggestiosn would be very welcome - and Kelo, i have that white-paper printer out, will be reading it later, thanks a bundle for the recommendation :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.