Start Free Trial

asked on

Account GPO Applied but not Working

Hi,
I think this is an easy one, I hope anyway. I have set the following account policies in our Default Domain Policy. I expected nearly all of our users to be prompted to change their password (many have had the same simple password for years) but nada. I tried changing my own password to one that would not meet the complexity rule and could... Basicly none of the below has been enabled. What I'm I doing wrong? What do I not understand?

Thanks.

********** Snipped from gpresult ****************************

Resultant Set Of Policies for Computer:
----------------------------------------

Software Installations
----------------------
N/A

Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90

GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1

GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15

GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10

GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6

GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3

GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180

Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
**************************************

Better would be for password complexity disabled, and minimum password length at 10. But, that doesn't address the issue that you are having.

After you changed the policy, did you refresh the group policies? (gpupdate from the command line) as it can take 15 minutes for the policy to take affect sometimes.
Also, I am not certain, but I think if you change the policy on passwords, and users do not meet the new policies, that it will not force them to change their passwords. When they go to change the password, it should enforce the new policies though.

To force password change after changing policy, here is a link to a script that can help you do that.
http://www.computerperformance.co.uk/vbscript/vbscript_pwdlastset.htm

Horsewhite--

Some quick questions for you. Apologies if any of these strike you as obvious or obtuse.
--Are you logging in with a domain account, or a local computer account?
The GPO will only apply to domain accounts.

--Have tried rebooting the client computer twice?
Some policies will not be fully applied until a domain client computer has been rebooted twice--once to receive the new policy, and the second time to apply it. However, this is really for computer policies, not user policies like your password restrictions.

Ultimately, you can use the Group Policy Management Console ("GPMC") to determine if the policy is being applied to each your users' accounts when logging into their computers. If the GPMC isn't in Administrative tools on your server, you can download it from Microsoft at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Install the GPMC, and open it. Then on the left, right-click on Group Policy Results and select "Group Policy Results Wizard". Use the wizard to select one of your domain computers, and then select one of the domain accounts found on that computer. The results Summary will appear on the right, and allow you to check the "Component Status" of the user policies that have been applied, or failed to be applied.

Hope this helps.

Dimarc67
New York, NY

ASKER

I agree on the complexity .vs. 6 min length but it isn't up to me.

Yes, I refreshed via gpupdate. The gpresult shows they have been applied, I made the changes nearly 12 hours ago.

I tried changing my password from one that meets the complexity to one that didn't. It let me, it also let me change the password 3 or 4 times in a few minutes.

can you post the following from a client?
gpresult /v > gp.txt & gp.txt
It will post to notepad and open it.
then run gpresult /z gp1.txt & gp1.txt
Lets see what's going on with the policy engine on the client.

Also do you have "Block Policy Inheritence" enabled anywhere in your domain?

A six character password can be broken by brute force in a couple of hours no matter how complex the password is. A 10 character password will take years for a brute force attack to succeed. 256^6 is roughly 281 trillion possibilities; 256^10 is roughly 1,208,925,819,614 Trillion possibilities. A ten character password using only upper and lower case and numbers -- 62^10th is About 3000 times more complex than a six character complex password.

ASKER

dimarc67

NP I don't mind making sure the obvious is taken care of. One thing I didn't point out is that I'm in the domain admin group.

Yes, using a domain account. Rebooted twice.

I used GPMC to see what is being applied and it is identical (as best I can see) to what comes from the gpresults that I posted. Doesn't the gpresult above show it has been applied?

I have looked at a few PCs and they have the same results.

GPMC Results less gui

Account Policies/Password Policy
Policy Setting Winning GPO
Enforce password history 1 passwords remembered Default Domain Policy
Maximum password age 180 days Default Domain Policy
Minimum password age 90 days Default Domain Policy
Minimum password length 6 characters Default Domain Policy
Password must meet complexity requirements Enabled Default Domain Policy
Store passwords using reversible encryption Disabled Default Domain Policy

Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 15 minutes Default Domain Policy
Account lockout threshold 3 invalid logon attempts Default Domain Policy
Reset account lockout counter after 10 minutes Default Domain Policy

If I look at the events I show that for this PC "Security policy in the Group policy objects has been applied successfully."

I also see in the Policy events an error for this same PC
"Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration."

But I don't see it for other PCs I have tried.

ASKER

iscapa

I don't think so, but I'll look again. Here is the full gpresult -v

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 10/1/2008 at 8:57:54 AM

RSOP results for xxxxxxxxxxxxxxxxx on PDX85G4G61 : Logging Mode
---------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming Profile:
Local Profile: C:\Documents and Settings\xxxxxx.PCS-DOMAIN
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
CN=PDX85G4G61,CN=Computers,DC=internal,DC=pacific-crest,DC=com
Last time Group Policy was applied: 10/1/2008 at 7:57:13 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PDX85G4G61$
Domain Computers

Resultant Set Of Policies for Computer:
----------------------------------------

Software Installations
----------------------
N/A

Startup Scripts
---------------
N/A

Shutdown Scripts
----------------
N/A

Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90

GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1

GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15

GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10

GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6

GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3

GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180

Audit Policy
------------
GPO: Default Domain Policy
Policy: AuditAccountLogon
Computer Setting: Failure

GPO: Default Domain Policy
Policy: AuditAccountManage
Computer Setting: Failure

GPO: Default Domain Policy
Policy: AuditLogonEvents
Computer Setting: Failure

User Rights
-----------
GPO: Default Domain Policy
Policy: TcbPrivilege
Computer Setting: PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins

GPO: Default Domain Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Users
*S-1-5-32-549
PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
Everyone
Backup Operators
Administrators

GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Everyone
PCS-DOMAIN\Domain Users

Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled

GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled

Event Log Settings
------------------
N/A

Restricted Groups
-----------------
N/A

System Services
---------------
N/A

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

USER SETTINGS
--------------
CN=Joe Boro,CN=Users,DC=internal,DC=pacific-crest,DC=com
Last time Group Policy was applied: 10/1/2008 at 7:06:41 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
OPERATIONS
Fortiva Supervision Reviewers
Group Policy Creator Owners
PORTLAND
Fortiva Archive Search Users
Fortiva Supervision report Users
Fortiva User Managers
Everybody
Fortiva Policy Managers
Fortiva Archive Discovery Users
ResearchBI
Rprivate
RESEARCH
BlackBerry Users
Fortiva Archive Disposition Users
Fortiva Archive Report Users
SalesBI
SalesMgmtBI
AAA PC HELP
OPERATIONS
PORTLAND
RESEARCH

Resultant Set Of Policies for User:
------------------------------------

Software Installations
----------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

Folder Redirection
------------------
N/A

Internet Explorer Browser User Interface
----------------------------------------
GPO: Default Domain Policy
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: Pacific Crest Securities
UserAgent Text: N/A
Delete existing toolbar buttons: No

Internet Explorer Connection
----------------------------
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No

Internet Explorer URLs
----------------------
GPO: Default Domain Policy
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A

Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False

GPO: Default Domain Policy
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No

Internet Explorer Programs
--------------------------
GPO: Default Domain Policy
Import the current Program Settings: No

Horsewhite,

You need to post the gpresults because it also shows security issues that may be keeping the policy from applying. You already have the correct settings for enabling what you are after. We now need to look at WHY its not applying. 9/10 this is a security issue with the Group Policy Object or NTFS settings on the folder that is in sysvol. Either way we need to see the WHOLE OUTPUT from gpresult...
Namely something that looks like this:

Applied Group Policy Objects
-----------------------------
Default Domain Policy
Wireless Network Policy
WSUS Office
LocalADM
Computing Devices
WSUS Loc
TIME-OLDDOMAIN
IE
Local Group Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
-RIS GPO
Filtering: Disabled (GPO)
-EmersonZones
Filtering: Disabled (GPO)
Disable Outlook Junk Mail Filter
Filtering: Disabled (GPO)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
USSRM-31TJ1$
USMTN-EAPOL_Computers
Domain Computers
USSTL-Wireless
USMTN-EAPAuth
RUCHE-VLAN-Emerson
System Mandatory Level

ASKER

sstone
I agree about the 20 char passwd but I have to y=take the wins where I can. Just getting them to realize that password enforcement is important is all I can ask for right now. This is a very user coddling environment. With this change I get to not be responsible for keeping track of 125 plus users passwords for domian, IM, variuos web site, etc, etc, and be in trouble if they change a password someplace as well as change the email account the password reset goes to.

ASKER

iscapa
I just posted at 10:39AM PDT that, here it is again in case I cut something out from the file. That and this is from my PC.

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 10/1/2008 at 10:47:30 AM

RSOP results for PCS-DOMAIN\jboro on PDX85G4G61 : Logging Mode
---------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming Profile:
Local Profile: C:\Documents and Settings\jboro.PCS-DOMAIN
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
CN=PDX85G4G61,CN=Computers,DC=internal,DC=pacific-crest,DC=com
Last time Group Policy was applied: 10/1/2008 at 10:01:19 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PDX85G4G61$
Domain Computers

Resultant Set Of Policies for Computer:
----------------------------------------

Software Installations
----------------------
N/A

Startup Scripts
---------------
N/A

Shutdown Scripts
----------------
N/A

Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90

GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1

GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15

GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10

GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6

GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3

GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180

Audit Policy
------------
GPO: Default Domain Policy
Policy: AuditAccountLogon
Computer Setting: Failure

GPO: Default Domain Policy
Policy: AuditAccountManage
Computer Setting: Failure

GPO: Default Domain Policy
Policy: AuditLogonEvents
Computer Setting: Failure

User Rights
-----------
GPO: Default Domain Policy
Policy: TcbPrivilege
Computer Setting: PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins

GPO: Default Domain Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Users
*S-1-5-32-549
PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
Everyone
Backup Operators
Administrators

GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Everyone
PCS-DOMAIN\Domain Users

Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled

GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled

Event Log Settings
------------------
N/A

Restricted Groups
-----------------
N/A

System Services
---------------
N/A

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

USER SETTINGS
--------------
CN=Joe Boro,CN=Users,DC=internal,DC=pacific-crest,DC=com
Last time Group Policy was applied: 10/1/2008 at 10:03:05 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
OPERATIONS
Fortiva Supervision Reviewers
Group Policy Creator Owners
PORTLAND
Fortiva Archive Search Users
Fortiva Supervision report Users
Fortiva User Managers
Everybody
Fortiva Policy Managers
Fortiva Archive Discovery Users
ResearchBI
Rprivate
RESEARCH
BlackBerry Users
Fortiva Archive Disposition Users
Fortiva Archive Report Users
SalesBI
SalesMgmtBI
AAA PC HELP
OPERATIONS
PORTLAND
RESEARCH

Resultant Set Of Policies for User:
------------------------------------

Software Installations
----------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

Folder Redirection
------------------
N/A

Internet Explorer Browser User Interface
----------------------------------------
GPO: Default Domain Policy
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: Pacific Crest Securities
UserAgent Text: N/A
Delete existing toolbar buttons: No

Internet Explorer Connection
----------------------------
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No

Internet Explorer URLs
----------------------
GPO: Default Domain Policy
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A

Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False

GPO: Default Domain Policy
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No

Internet Explorer Programs
--------------------------
GPO: Default Domain Policy
Import the current Program Settings: No

Ok good so security is no the problem
Now we have a GP that is set to take action fails to do so and security is not involved. Out of couriosity, will th epassword rules take affect doing the following?
1. Change users password on DC
2. Login to client attempt to change password.
You have minimum password age set to 90 days so it shouldn't let you change the password again. We're setting it on the DC so we can see if the DC is even forcing application locally for the password rules. If you've already tried that let us know the results.

What happens if you set your account to require passwsord change at next logon? After logging in does it require a new password that meets the complexity requirements?

ASKER

GPRESULT -Z

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 10/1/2008 at 10:52:32 AM

RSOP results for PCS-DOMAIN\jboro on PDX85G4G61 : Logging Mode
---------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming Profile:
Local Profile: C:\Documents and Settings\jboro.PCS-DOMAIN
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
CN=PDX85G4G61,CN=Computers,DC=internal,DC=pacific-crest,DC=com
Last time Group Policy was applied: 10/1/2008 at 10:01:19 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PDX85G4G61$
Domain Computers

Resultant Set Of Policies for Computer:
----------------------------------------

Software Installations
----------------------
N/A

Startup Scripts
---------------
N/A

Shutdown Scripts
----------------
N/A

Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90

GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1

GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15

GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10

GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6

GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3

GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180

Audit Policy
------------
GPO: Default Domain Policy
Policy: AuditAccountLogon
Computer Setting: Failure

GPO: Default Domain Policy
Policy: AuditAccountManage
Computer Setting: Failure

GPO: Default Domain Policy
Policy: AuditLogonEvents
Computer Setting: Failure

User Rights
-----------
GPO: Default Domain Policy
Policy: TcbPrivilege
Computer Setting: PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins

GPO: Default Domain Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Users
*S-1-5-32-549
PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
Everyone
Backup Operators
Administrators

GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Everyone
PCS-DOMAIN\Domain Users

Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled

GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled

Event Log Settings
------------------
N/A

Restricted Groups
-----------------
N/A

System Services
---------------
N/A

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

USER SETTINGS
--------------
CN=Joe Boro,CN=Users,DC=internal,DC=pacific-crest,DC=com
Last time Group Policy was applied: 10/1/2008 at 10:03:05 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
OPERATIONS
Fortiva Supervision Reviewers
Group Policy Creator Owners
PORTLAND
Fortiva Archive Search Users
Fortiva Supervision report Users
Fortiva User Managers
Everybody
Fortiva Policy Managers
Fortiva Archive Discovery Users
ResearchBI
Rprivate
RESEARCH
BlackBerry Users
Fortiva Archive Disposition Users
Fortiva Archive Report Users
SalesBI
SalesMgmtBI
AAA PC HELP
OPERATIONS
PORTLAND
RESEARCH

Resultant Set Of Policies for User:
------------------------------------

Software Installations
----------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

Folder Redirection
------------------
N/A

Internet Explorer Browser User Interface
----------------------------------------
GPO: Default Domain Policy
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: Pacific Crest Securities
UserAgent Text: N/A
Delete existing toolbar buttons: No

Internet Explorer Connection
----------------------------
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No

Internet Explorer URLs
----------------------
GPO: Default Domain Policy
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A

Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False

GPO: Default Domain Policy
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No

Internet Explorer Programs
--------------------------
GPO: Default Domain Policy
Import the current Program Settings: No

I apologise because I didnt't read thoroughly all previously posted comments, but from what I understand, you are posting gpresult output from client computers? It does not matter which setting apply to clients, you should run gpresult on domain controller. This is where passwords are stored and changed. If your password policy does not apply to all domain controllers, you might have inconsistencies or password policy which does not apply at all.

Can you post gpresult from any DC?

I'm sorry did I say client? toniur is correct DC... sorry two different threads going. Also have a look at KB259576. I assume that the default domain policy is linked at the domain level and hasn't been moved somewhere else? This may cause DC's to ignore.

ASKER

OK here are the gpreult -v from the PDC. I haven't looked at it.

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999

Created on Wednesday, October 01, 2008 at 11:38:32 AM

Operating System Information:

Operating System Type:            Domain Controller
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Remote Administration

###############################################################

User Group Policy results for:

CN=Administrator,CN=Users,DC=internal,DC=pacific-crest,DC=com

Domain Name:            PCS-DOMAIN
Domain Type:            Windows 2000
Site Name:            PDX

Roaming profile:      (None)
Local profile:      C:\Documents and Settings\Administrator.PCS-DOMAIN

The user is a member of the following security groups:

      PCS-DOMAIN\Domain Admins
      \Everyone
      BUILTIN\Administrators
      BUILTIN\Users
      BUILTIN\Pre-Windows 2000 Compatible Access
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      PCS-DOMAIN\Group Policy Creator Owners
      PCS-DOMAIN\Exchange Services
      PCS-DOMAIN\Everybody
      PCS-DOMAIN\IB PDX
      PCS-DOMAIN\Exchange Domain Servers
      PCS-DOMAIN\SMEX Admin Group
      PCS-DOMAIN\TopTools
      PCS-DOMAIN\Enterprise Admins
      PCS-DOMAIN\Schema Admins
      PCS-DOMAIN\Exchange Enterprise Servers
      PCS-DOMAIN\DnsAdmins

The user has the following security privileges:

      Act as part of the operating system
      Generate security audits
      Restore files and directories
      Create a token object
      Enable computer and user accounts to be trusted for delegation
      Add workstations to domain
      Bypass traverse checking
      Manage auditing and security log
      Back up files and directories
      Change the system time
      Shut down the system
      Force shutdown from a remote system
      Take ownership of files or other objects
      Debug programs
      Modify firmware environment values
      Profile system performance
      Profile single process
      Increase scheduling priority
      Load and unload device drivers
      Create a pagefile
      Increase quotas
      Remove computer from docking station
      Impersonate a client after authentication
      Create global objects

###############################################################

Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:09:35 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com

===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

      Default Domain Policy
       Revision Number:      5
       Unique Name:      {31B2F340-016D-11D2-945F-00C04FB984F9}
       Domain Name:      internal.pacific-crest.com
       Linked to:            Domain (DC=internal,DC=pacific-crest,DC=com)

      Additional information is not available for this type of policy setting.

###############################################################

Computer Group Policy results for:

CN=PCSSPDX-MAIL,OU=Domain Controllers,DC=internal,DC=pacific-crest,DC=com

Domain Name:            PCS-DOMAIN
Domain Type:            Windows 2000
Site Name:            PDX

The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      BUILTIN\Pre-Windows 2000 Compatible Access
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      PCS-DOMAIN\PCSSPDX-MAIL$
      PCS-DOMAIN\Exchange Domain Servers
      PCS-DOMAIN\Domain Controllers
      NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
      PCS-DOMAIN\Exchange Enterprise Servers

###############################################################

Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:37:38 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com

===============================================================

The computer received "Registry" settings from these GPOs:

      Local Group Policy
       Revision Number:      6
       Unique Name:      Local Group Policy
       Domain Name:
       Linked to:            Local computer

      The following settings were applied from: Local Group Policy

       KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS
       ValueName:      EFSBlob
       ValueType:      REG_BINARY
       Value:      Binary data. Use the /S switch to display.

       KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\Certificates\385F0FCAC098E47E47731FDD87D8AF8B3F8B18D3
       ValueName:      Blob
       ValueType:      REG_BINARY
       Value:      Binary data. Use the /S switch to display.

       KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
       ValueName:
       ValueType:      REG_NONE
       Value:      This key contains no values

       KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
       ValueName:
       ValueType:      REG_NONE
       Value:      This key contains no values

===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
       Revision Number:      6
       Unique Name:      Local Group Policy
       Domain Name:
       Linked to:            Local computer

      Default Domain Controllers Policy
       Revision Number:      139
       Unique Name:      {6AC1786C-016F-11D2-945F-00C04fB984F9}
       Domain Name:      INTERNAL.PACIFIC-CREST.COM
       Linked to:            Organizational Unit (OU=Domain Controllers,DC=internal,DC=pacific-crest,DC=com)

      Run the Security Configuration Editor for more information.

===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
       Revision Number:      6
       Unique Name:      Local Group Policy
       Domain Name:
       Linked to:            Local computer

      Additional information is not available for this type of policy setting.

ASKER

gpresult -z from the PDC

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999

Created on Wednesday, October 01, 2008 at 11:40:19 AM

Operating System Information:

Operating System Type:            Domain Controller
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Remote Administration

###############################################################

User Group Policy results for:

CN=Administrator,CN=Users,DC=internal,DC=pacific-crest,DC=com

Domain Name:            PCS-DOMAIN
Domain Type:            Windows 2000
Site Name:            PDX

Roaming profile:      (None)
Local profile:      C:\Documents and Settings\Administrator.PCS-DOMAIN

The user is a member of the following security groups:

      PCS-DOMAIN\Domain Admins
      \Everyone
      BUILTIN\Administrators
      BUILTIN\Users
      BUILTIN\Pre-Windows 2000 Compatible Access
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      PCS-DOMAIN\Group Policy Creator Owners
      PCS-DOMAIN\Exchange Services
      PCS-DOMAIN\Everybody
      PCS-DOMAIN\IB PDX
      PCS-DOMAIN\Exchange Domain Servers
      PCS-DOMAIN\SMEX Admin Group
      PCS-DOMAIN\TopTools
      PCS-DOMAIN\Enterprise Admins
      PCS-DOMAIN\Schema Admins
      PCS-DOMAIN\Exchange Enterprise Servers
      PCS-DOMAIN\DnsAdmins

###############################################################

Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:09:35 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com

===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

      Default Domain Policy

###############################################################

Computer Group Policy results for:

CN=PCSSPDX-MAIL,OU=Domain Controllers,DC=internal,DC=pacific-crest,DC=com

Domain Name:            PCS-DOMAIN
Domain Type:            Windows 2000
Site Name:            PDX

The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      BUILTIN\Pre-Windows 2000 Compatible Access
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      PCS-DOMAIN\PCSSPDX-MAIL$
      PCS-DOMAIN\Exchange Domain Servers
      PCS-DOMAIN\Domain Controllers
      NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
      PCS-DOMAIN\Exchange Enterprise Servers

###############################################################

Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:37:38 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com

===============================================================

The computer received "Registry" settings from these GPOs:

      Local Group Policy

===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Controllers Policy

===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy

horsewhite this is win2k so run it with gpresult -v see if the output looks differently.

ASKER

the 11:41AM posting is -v. Yes it is a mixed 2000/2003.

I read the kb259576 "The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container: " All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.) ". The account policies above are the only changes I made and am aware of. So if I understand this no linking is required. I made the changes in the AD users & computers -> properties -> group policy (Block Policy inheritance is NOT checked) -> default domain policy -> edit -> Windows Settings -> Security Settings -> Account Policy -> Password Policy & Account lockout Policy. No linking required correct?

ASKER

upping the points...

The last 2 gpresult postings were from the PDC.

Correct.
Can you set your user account to require a password change at next logon. Logout and back in attempt to reuse the same password again. Does it let you?

ASKER

"Can you set your user account to require a password change at next logon. Logout and back in attempt to reuse the same password again. Does it let you?"

Hmmm. I tried this earlier and it took 2 reboots for the dialog to come up to change the password. I didn't try just a logout.
I just now tried it again and after the first reboot like before no change passwd notice. On second try I got the dialog about "Your password must be 0 characters, cannot repeat any of your previous 1 passwords and must be at least 0 days old" So it seems some of it has been enabled. BUT I could us "aaa" as my new password and once in I could change it back to my old password.

ASKER

It appears my last posting didn't make it through...

Yes I tried this earlier today and it took 2 reboots (I didn't try just logging out, did a full reboot) and after the second reboot it made me change the password. I could change it to something that would have violated the new password rules. Once logged in I was able change the password back again.

I tried this again after seeing your posting. I set my account to require a password change next login. First reboot nothing, I logged in with my password. No warning or change required. After the second reboot I got the must change password dialog. I attempted to change it to a password less than required by the policy and got "Your password must be 0 characters, cannot repeat any of your previous 1 passwords and must be at least 0 days old". Once logged in no policy applied... eg I changed my password under the 90 days and under the complexity

From all I can see these policies should apply and from the last login it appears AD is "trying". Like I said earlier these changes where made over 12 hours ago well past the 90 minute default. I did a gpupdate last night. I shouldn't have to reboot the DC but I may try that next since it seems to fix and apply 95% of all other changes in Windows. I would really rather hear that I missed some small part of this as I would really like to start using GPO's to manage an otherwise unmanageable Wondows domain.

Horsewhite,
Your on the right track GPO's are handy tools for managing your domain. There were quite a few issues with GP's on 2000 DC's (mainly since they were the same ADM files from 95...) but anyhow they should still be applying. It now looks more like a possible issue with AD itself and not the policy settings at all. I know some of this may be redundant or seem unimportant but it's the same steps that MS would have you pay $135 and at least we speak English...
Let's do the following to make sure the GP templates are healthy.
1. Open GPMC and highlight "Default Domain Policy"
2. Go to the "Details" tab and make sure the "User Version" matches in both locations (AD & SYSVOL)
3. Make sure that the "Computer Version" matches in both locations (AD & SYSVOL)
The version may not match each other (User vs Computer) since each module is updated and tracked seperately.
4. Back on the "Scope" tab who is listed in Security Filtering?
5. Under "Links" what location is listed? Is it Enforced? Path?
Another helpfull tool when troubleshooting GP or AD issues in general is Microsoft MPSreports. Lets go ahead and run these as well and post the zip file. Make sure and download the copy for Directory Services...
http://www.microsoft.com/downloads/details.aspx?familyid=cebf3c7c-7ca5-408f-88b7-f9c79b7306c0&displaylang=en

ASKER

All match
User version: 5 (AD), 5 (sysvol)
Computer version: 5 (AD), 5 (sysvol)

Authenticated Users
Domain Admins
Enterprise Admins

5. Under "Links" what location is listed? Is it Enforced? Path?
I'm not sure how to check if it is enforced and what the path is but under Links in the Display links in the location: our domain is listed.

I'm going through the MS reporting stuff now.

ASKER

Duh! I was looking right at it! Sorry busy morning...
As I said display link in this location has our domain listed internal.pacific-crest.com.

Under "The following site, domains, and OUs are linked to this GPO:"
Location Enforced Link Enabled Path
internal.pacific-crest.com No Yes internal.pacific-crest.com
Terminal Servers No Yes internal.pacific-crest.com

Do I need to enforce it?

Under Details GPO status is enabled.

Yes. Enforcing apolicy such as the default domain policy is a good idea. See http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsec_pol_dyzr.mspx?mfr=true ans the note about limiting use. For this case I would say lets Enforce it.

ASKER

Enforcing did it. I overlooked that in the mix. I feel dumb but glad it is up and working. In addition to more research on AD & GP what more do I need to do to insure things are running smoothly?

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Thanks for the help.

No problems. Iscapa knows his stuff.

Lol thanks I got some inside information while I was employeed in Directory Services at MS...

Hey Horsewhite, go ahead and close this one, be sure and give Iscapa the "A" grade!

ASKER

Hmmm it tells me that this Q has already been closed. I closed last week but I can see that it appears to still be open.

Okay, well now it shows an accepted solution. Oh well!