Solved

How can I Find out what's overwritting my group policies in W2K?

Posted on 2004-09-16
8
233 Views
Last Modified: 2010-04-13
i have a password group policy in place on a DC that is also Schema owner, Domain role owner, PDC role, RID pool manager, Infrastructure owner - however, these policies seem to keep getting overwritten by another machine and I'm at a loss as to find out which DC is overwriting it.  I've looked at the event logs for replication conflicts but there's nothing there that would indicate any problems

how can i find out what's causing this policy to be overwritten like this?  it seems to happen every 90 minutes or so and is causing me to tear my hair out as I'm currently unable to implement this policy effectively.
0
Comment
Question by:tonybushell
  • 3
  • 3
  • 2
8 Comments
 
LVL 6

Expert Comment

by:tanelorn
Comment Utility
Hi,
you say they are being overwritten,  where is it that you are seing this?  on the clients ?  or from within the group policy management snapin in the actual group policy object??

just need a little clarification..

Thanks

T

0
 
LVL 3

Expert Comment

by:kelo501
Comment Utility
Sounds like you are saying the DC is getting over writen.  Not sure but download GPMC snap in and run result of policy.
Here is the link to download.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

kelo501
0
 
LVL 1

Author Comment

by:tonybushell
Comment Utility
hey Tane,

i'm seeing this from the Active Directory Users & Computers MMC plug-in on the DC where we are making this change - if i change the policy there, it seems ok for an indeterminite period and then it resets itself - all changes go back to the defaults.

0
 
LVL 3

Expert Comment

by:kelo501
Comment Utility
Tony,

AD computers and users>properties>GPO>edit?  Or are you using the GPMC?

What settings are being change or are all setings being change?

90 min is the defult refresh rate.

What police are you setting the "password" policy with?
is this policy for the whole domain and then a higher level for you DC?

Are you using the defult domain or defult domain controller group policy object or did you create a new one?

If you manually refresh the policy does it work?

Let me know, I have had some long hard fights with GPO's and one everytime...  SO FAR... LOL

kelo501
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 6

Expert Comment

by:tanelorn
Comment Utility
Hi

I think Kelo is on the right track, it sounds like there is a policy that is being forced down from higher in the AD tree.

T
0
 
LVL 1

Author Comment

by:tonybushell
Comment Utility
hey Kelo, thanks for the response - ok, to try and answer this as clearly as possible -

* Yes, I'm going AD computers and users>properties>GPO>edit, although I do have the GPMC downloaded and running on another machine
* All settings are being changed back to the defaults
* 90 mins = refresh rate - thanks!  (i had thought it was 60, couldn't figure out what this extra delay was)
* The desired policy is: Enforce 4 passwords, Maximum age 90 days, Mim age 0, Minimum Length 6, Complex Passwords Enabled
* Yes, this password is for the whole domain, and is being set on the DC that is also Schema/Infrastructure owner
* Using the Default Policy Object - have toyed with deleting it and starting again but was a little hesitant
* Yep, manual refresh works just fine, until it gets reset - if i change the policy from the standard settings to those desired, it works like a charm - however, within 90 minutes it's reset.

thanks Kelo & Tanelorn for all your help so far - I have a test W2K/AD domain both here at work and at home and this works flawlessly on both, it's just driving me batty trying to figure out WHAT is overriding this policy :(
0
 
LVL 3

Accepted Solution

by:
kelo501 earned 250 total points
Comment Utility
OK in the GPMC there is a result of policy tool.

Read this white paper and try it out.  http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx

Group Policy Results
This feature allows administrators to determine the resultant set of policy that was applied to a given computer and (optionally) user that logged on to that computer. The data that is presented is similar to Group Policy Modeling data, however, unlike Group Policy Modeling, this data is not a simulation. It is the actual resultant set of policy data obtained from the target computer. Unlike Group Policy Modeling, the data from Group Policy Results is obtained from the client, and is not simulated on the DC. The client must be running Windows XP, Windows Server 2003 or later. It is not possible to get Group Policy Results data for a Windows 2000 computer. (However, with Group Policy Modeling, you can simulate the RSoP data).
Note: Technically, a Windows Server 2003 DC is not required to access Group Policy Results. However, by default, only users with local admin privileges on the target computer can remotely access Group Policy Results data. This can be delegated to additional users (as previously described), however, the ability to delegate RSoP data is only available in Active Directory forests that have the Windows Server 2003 schema (for example, you have run ADPrep /ForestPrep) in that forest.
Each Group Policy Results query is represented by a node in the tree view under the Group Policy Results container. Each node has three tabs:
•      Summary – this is analogous to the information shown for the corresponding tab on a Group Policy Modeling node. In particular, this page shows the component status for the various Group Policy extensions. This information tells you whether there were any issues with a particular extension and is a good place to begin troubleshooting.
•      Settings – this is analogous to the information shown for the corresponding tab on a Group Policy Modeling node.
•      Events – this tab shows all policy-related events from the target computer (see Figure 29). Note that to gather this data, the user performing the query must have access to remotely view the event log. By default, this access is granted to all users on Windows XP, but not on Windows Server 2003. This data is useful for troubleshooting Group Policy issues. For example if the summary report indicates that a particular Group Policy component failed to process, you may be able to determine why by looking for errors and warnings in the event log.


This is from the white paper but you should read the whole thing..

Let me know how it goes.
kelo501


0
 
LVL 1

Author Comment

by:tonybushell
Comment Utility
i was running this yesterday and when looking in the Group Policy Results I see that there are two Denied GPO's - of particular interest is the one i created for this password policy and it says the reason it was denied was because it was "empty" - for which i'm still looking for a decent explanation

as it stands, i have the password policy defined separately and linked to the domain and this appears to be working - however, i'm kind of nervous about having a solution in place that seems like a "McGuyver fix" - I currently feel that as I can't find out why these changes wouldn't stick in the Default Domain POlicy, that I still have a problem, even if I've gotten it to do what i want.

so, any ohter suggestiosn would be very welcome - and Kelo, i have that white-paper printer out, will be reading it later, thanks a bundle for the recommendation :)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now