horsewhite
asked on
Account GPO Applied but not Working
Hi,
I think this is an easy one, I hope anyway. I have set the following account policies in our Default Domain Policy. I expected nearly all of our users to be prompted to change their password (many have had the same simple password for years) but nada. I tried changing my own password to one that would not meet the complexity rule and could... Basicly none of the below has been enabled. What I'm I doing wrong? What do I not understand?
Thanks.
********** Snipped from gpresult ************************** **
Resultant Set Of Policies for Computer:
-------------------------- ---------- ----
Software Installations
----------------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180
Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo rd
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
************************** ********** **
I think this is an easy one, I hope anyway. I have set the following account policies in our Default Domain Policy. I expected nearly all of our users to be prompted to change their password (many have had the same simple password for years) but nada. I tried changing my own password to one that would not meet the complexity rule and could... Basicly none of the below has been enabled. What I'm I doing wrong? What do I not understand?
Thanks.
********** Snipped from gpresult **************************
Resultant Set Of Policies for Computer:
--------------------------
Software Installations
----------------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180
Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
**************************
To force password change after changing policy, here is a link to a script that can help you do that.
http://www.computerperformance.co.uk/vbscript/vbscript_pwdlastset.htm
http://www.computerperformance.co.uk/vbscript/vbscript_pwdlastset.htm
Horsewhite--
Some quick questions for you. Apologies if any of these strike you as obvious or obtuse.
--Are you logging in with a domain account, or a local computer account?
The GPO will only apply to domain accounts.
--Have tried rebooting the client computer twice?
Some policies will not be fully applied until a domain client computer has been rebooted twice--once to receive the new policy, and the second time to apply it. However, this is really for computer policies, not user policies like your password restrictions.
Ultimately, you can use the Group Policy Management Console ("GPMC") to determine if the policy is being applied to each your users' accounts when logging into their computers. If the GPMC isn't in Administrative tools on your server, you can download it from Microsoft at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
Install the GPMC, and open it. Then on the left, right-click on Group Policy Results and select "Group Policy Results Wizard". Use the wizard to select one of your domain computers, and then select one of the domain accounts found on that computer. The results Summary will appear on the right, and allow you to check the "Component Status" of the user policies that have been applied, or failed to be applied.
Hope this helps.
Dimarc67
New York, NY
Some quick questions for you. Apologies if any of these strike you as obvious or obtuse.
--Are you logging in with a domain account, or a local computer account?
The GPO will only apply to domain accounts.
--Have tried rebooting the client computer twice?
Some policies will not be fully applied until a domain client computer has been rebooted twice--once to receive the new policy, and the second time to apply it. However, this is really for computer policies, not user policies like your password restrictions.
Ultimately, you can use the Group Policy Management Console ("GPMC") to determine if the policy is being applied to each your users' accounts when logging into their computers. If the GPMC isn't in Administrative tools on your server, you can download it from Microsoft at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
Install the GPMC, and open it. Then on the left, right-click on Group Policy Results and select "Group Policy Results Wizard". Use the wizard to select one of your domain computers, and then select one of the domain accounts found on that computer. The results Summary will appear on the right, and allow you to check the "Component Status" of the user policies that have been applied, or failed to be applied.
Hope this helps.
Dimarc67
New York, NY
ASKER
I agree on the complexity .vs. 6 min length but it isn't up to me.
Yes, I refreshed via gpupdate. The gpresult shows they have been applied, I made the changes nearly 12 hours ago.
I tried changing my password from one that meets the complexity to one that didn't. It let me, it also let me change the password 3 or 4 times in a few minutes.
Yes, I refreshed via gpupdate. The gpresult shows they have been applied, I made the changes nearly 12 hours ago.
I tried changing my password from one that meets the complexity to one that didn't. It let me, it also let me change the password 3 or 4 times in a few minutes.
can you post the following from a client?
gpresult /v > gp.txt & gp.txt
It will post to notepad and open it.
then run gpresult /z gp1.txt & gp1.txt
Lets see what's going on with the policy engine on the client.
gpresult /v > gp.txt & gp.txt
It will post to notepad and open it.
then run gpresult /z gp1.txt & gp1.txt
Lets see what's going on with the policy engine on the client.
Also do you have "Block Policy Inheritence" enabled anywhere in your domain?
A six character password can be broken by brute force in a couple of hours no matter how complex the password is. A 10 character password will take years for a brute force attack to succeed. 256^6 is roughly 281 trillion possibilities; 256^10 is roughly 1,208,925,819,614 Trillion possibilities. A ten character password using only upper and lower case and numbers -- 62^10th is About 3000 times more complex than a six character complex password.
ASKER
dimarc67
NP I don't mind making sure the obvious is taken care of. One thing I didn't point out is that I'm in the domain admin group.
Yes, using a domain account. Rebooted twice.
I used GPMC to see what is being applied and it is identical (as best I can see) to what comes from the gpresults that I posted. Doesn't the gpresult above show it has been applied?
I have looked at a few PCs and they have the same results.
GPMC Results less gui
Account Policies/Password Policy
Policy Setting Winning GPO
Enforce password history 1 passwords remembered Default Domain Policy
Maximum password age 180 days Default Domain Policy
Minimum password age 90 days Default Domain Policy
Minimum password length 6 characters Default Domain Policy
Password must meet complexity requirements Enabled Default Domain Policy
Store passwords using reversible encryption Disabled Default Domain Policy
Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 15 minutes Default Domain Policy
Account lockout threshold 3 invalid logon attempts Default Domain Policy
Reset account lockout counter after 10 minutes Default Domain Policy
If I look at the events I show that for this PC "Security policy in the Group policy objects has been applied successfully."
I also see in the Policy events an error for this same PC
"Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2 CB811AF94A E} and it will not be loaded. This is most likely caused by a faulty registration."
But I don't see it for other PCs I have tried.
NP I don't mind making sure the obvious is taken care of. One thing I didn't point out is that I'm in the domain admin group.
Yes, using a domain account. Rebooted twice.
I used GPMC to see what is being applied and it is identical (as best I can see) to what comes from the gpresults that I posted. Doesn't the gpresult above show it has been applied?
I have looked at a few PCs and they have the same results.
GPMC Results less gui
Account Policies/Password Policy
Policy Setting Winning GPO
Enforce password history 1 passwords remembered Default Domain Policy
Maximum password age 180 days Default Domain Policy
Minimum password age 90 days Default Domain Policy
Minimum password length 6 characters Default Domain Policy
Password must meet complexity requirements Enabled Default Domain Policy
Store passwords using reversible encryption Disabled Default Domain Policy
Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 15 minutes Default Domain Policy
Account lockout threshold 3 invalid logon attempts Default Domain Policy
Reset account lockout counter after 10 minutes Default Domain Policy
If I look at the events I show that for this PC "Security policy in the Group policy objects has been applied successfully."
I also see in the Policy events an error for this same PC
"Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2
But I don't see it for other PCs I have tried.
ASKER
iscapa
I don't think so, but I'll look again. Here is the full gpresult -v
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 10/1/2008 at 8:57:54 AM
RSOP results for xxxxxxxxxxxxxxxxx on PDX85G4G61 : Logging Mode
-------------------------- ---------- ---------- ---------- -------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming Profile:
Local Profile: C:\Documents and Settings\xxxxxx.PCS-DOMAIN
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=PDX85G4G61,CN=Computers ,DC=intern al,DC=paci fic-crest, DC=com
Last time Group Policy was applied: 10/1/2008 at 7:57:13 AM
Group Policy was applied from: pcsspdx-mail.internal.paci fic-crest. com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
-------------------------- ---------- ---------- ----------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PDX85G4G61$
Domain Computers
Resultant Set Of Policies for Computer:
-------------------------- ---------- ----
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180
Audit Policy
------------
GPO: Default Domain Policy
Policy: AuditAccountLogon
Computer Setting: Failure
GPO: Default Domain Policy
Policy: AuditAccountManage
Computer Setting: Failure
GPO: Default Domain Policy
Policy: AuditLogonEvents
Computer Setting: Failure
User Rights
-----------
GPO: Default Domain Policy
Policy: TcbPrivilege
Computer Setting: PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
GPO: Default Domain Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Users
*S-1-5-32-549
PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
Everyone
Backup Operators
Administrators
GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Everyone
PCS-DOMAIN\Domain Users
Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo rd
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=Joe Boro,CN=Users,DC=internal, DC=pacific -crest,DC= com
Last time Group Policy was applied: 10/1/2008 at 7:06:41 AM
Group Policy was applied from: pcsspdx-mail.internal.paci fic-crest. com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
-------------------------- ---------- ---------- ------
Domain Users
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
OPERATIONS
Fortiva Supervision Reviewers
Group Policy Creator Owners
PORTLAND
Fortiva Archive Search Users
Fortiva Supervision report Users
Fortiva User Managers
Everybody
Fortiva Policy Managers
Fortiva Archive Discovery Users
ResearchBI
Rprivate
RESEARCH
BlackBerry Users
Fortiva Archive Disposition Users
Fortiva Archive Report Users
SalesBI
SalesMgmtBI
AAA PC HELP
OPERATIONS
PORTLAND
RESEARCH
Resultant Set Of Policies for User:
-------------------------- ----------
Software Installations
----------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
-------------------------- ---------- ----
GPO: Default Domain Policy
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: Pacific Crest Securities
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
-------------------------- --
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No
Internet Explorer URLs
----------------------
GPO: Default Domain Policy
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: Default Domain Policy
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
--------------------------
GPO: Default Domain Policy
Import the current Program Settings: No
I don't think so, but I'll look again. Here is the full gpresult -v
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 10/1/2008 at 8:57:54 AM
RSOP results for xxxxxxxxxxxxxxxxx on PDX85G4G61 : Logging Mode
--------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming Profile:
Local Profile: C:\Documents and Settings\xxxxxx.PCS-DOMAIN
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=PDX85G4G61,CN=Computers
Last time Group Policy was applied: 10/1/2008 at 7:57:13 AM
Group Policy was applied from: pcsspdx-mail.internal.paci
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PDX85G4G61$
Domain Computers
Resultant Set Of Policies for Computer:
--------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180
Audit Policy
------------
GPO: Default Domain Policy
Policy: AuditAccountLogon
Computer Setting: Failure
GPO: Default Domain Policy
Policy: AuditAccountManage
Computer Setting: Failure
GPO: Default Domain Policy
Policy: AuditLogonEvents
Computer Setting: Failure
User Rights
-----------
GPO: Default Domain Policy
Policy: TcbPrivilege
Computer Setting: PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
GPO: Default Domain Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Users
*S-1-5-32-549
PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
Everyone
Backup Operators
Administrators
GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Everyone
PCS-DOMAIN\Domain Users
Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=Joe Boro,CN=Users,DC=internal,
Last time Group Policy was applied: 10/1/2008 at 7:06:41 AM
Group Policy was applied from: pcsspdx-mail.internal.paci
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
--------------------------
Domain Users
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
OPERATIONS
Fortiva Supervision Reviewers
Group Policy Creator Owners
PORTLAND
Fortiva Archive Search Users
Fortiva Supervision report Users
Fortiva User Managers
Everybody
Fortiva Policy Managers
Fortiva Archive Discovery Users
ResearchBI
Rprivate
RESEARCH
BlackBerry Users
Fortiva Archive Disposition Users
Fortiva Archive Report Users
SalesBI
SalesMgmtBI
AAA PC HELP
OPERATIONS
PORTLAND
RESEARCH
Resultant Set Of Policies for User:
--------------------------
Software Installations
----------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
--------------------------
GPO: Default Domain Policy
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: Pacific Crest Securities
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
--------------------------
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No
Internet Explorer URLs
----------------------
GPO: Default Domain Policy
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: Default Domain Policy
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
--------------------------
GPO: Default Domain Policy
Import the current Program Settings: No
Horsewhite,
You need to post the gpresults because it also shows security issues that may be keeping the policy from applying. You already have the correct settings for enabling what you are after. We now need to look at WHY its not applying. 9/10 this is a security issue with the Group Policy Object or NTFS settings on the folder that is in sysvol. Either way we need to see the WHOLE OUTPUT from gpresult...
Namely something that looks like this:
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
Wireless Network Policy
WSUS Office
LocalADM
Computing Devices
WSUS Loc
TIME-OLDDOMAIN
IE
Local Group Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
-RIS GPO
Filtering: Disabled (GPO)
-EmersonZones
Filtering: Disabled (GPO)
Disable Outlook Junk Mail Filter
Filtering: Disabled (GPO)
The computer is a part of the following security groups
-------------------------- ---------- ---------- ---------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
USSRM-31TJ1$
USMTN-EAPOL_Computers
Domain Computers
USSTL-Wireless
USMTN-EAPAuth
RUCHE-VLAN-Emerson
System Mandatory Level
You need to post the gpresults because it also shows security issues that may be keeping the policy from applying. You already have the correct settings for enabling what you are after. We now need to look at WHY its not applying. 9/10 this is a security issue with the Group Policy Object or NTFS settings on the folder that is in sysvol. Either way we need to see the WHOLE OUTPUT from gpresult...
Namely something that looks like this:
Applied Group Policy Objects
--------------------------
Default Domain Policy
Wireless Network Policy
WSUS Office
LocalADM
Computing Devices
WSUS Loc
TIME-OLDDOMAIN
IE
Local Group Policy
The following GPOs were not applied because they were filtered out
--------------------------
-RIS GPO
Filtering: Disabled (GPO)
-EmersonZones
Filtering: Disabled (GPO)
Disable Outlook Junk Mail Filter
Filtering: Disabled (GPO)
The computer is a part of the following security groups
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
USSRM-31TJ1$
USMTN-EAPOL_Computers
Domain Computers
USSTL-Wireless
USMTN-EAPAuth
RUCHE-VLAN-Emerson
System Mandatory Level
ASKER
sstone
I agree about the 20 char passwd but I have to y=take the wins where I can. Just getting them to realize that password enforcement is important is all I can ask for right now. This is a very user coddling environment. With this change I get to not be responsible for keeping track of 125 plus users passwords for domian, IM, variuos web site, etc, etc, and be in trouble if they change a password someplace as well as change the email account the password reset goes to.
I agree about the 20 char passwd but I have to y=take the wins where I can. Just getting them to realize that password enforcement is important is all I can ask for right now. This is a very user coddling environment. With this change I get to not be responsible for keeping track of 125 plus users passwords for domian, IM, variuos web site, etc, etc, and be in trouble if they change a password someplace as well as change the email account the password reset goes to.
ASKER
iscapa
I just posted at 10:39AM PDT that, here it is again in case I cut something out from the file. That and this is from my PC.
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 10/1/2008 at 10:47:30 AM
RSOP results for PCS-DOMAIN\jboro on PDX85G4G61 : Logging Mode
-------------------------- ---------- ---------- ---------- -------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming Profile:
Local Profile: C:\Documents and Settings\jboro.PCS-DOMAIN
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=PDX85G4G61,CN=Computers ,DC=intern al,DC=paci fic-crest, DC=com
Last time Group Policy was applied: 10/1/2008 at 10:01:19 AM
Group Policy was applied from: pcsspdx-mail.internal.paci fic-crest. com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
-------------------------- ---------- ---------- ----------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PDX85G4G61$
Domain Computers
Resultant Set Of Policies for Computer:
-------------------------- ---------- ----
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180
Audit Policy
------------
GPO: Default Domain Policy
Policy: AuditAccountLogon
Computer Setting: Failure
GPO: Default Domain Policy
Policy: AuditAccountManage
Computer Setting: Failure
GPO: Default Domain Policy
Policy: AuditLogonEvents
Computer Setting: Failure
User Rights
-----------
GPO: Default Domain Policy
Policy: TcbPrivilege
Computer Setting: PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
GPO: Default Domain Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Users
*S-1-5-32-549
PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
Everyone
Backup Operators
Administrators
GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Everyone
PCS-DOMAIN\Domain Users
Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo rd
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=Joe Boro,CN=Users,DC=internal, DC=pacific -crest,DC= com
Last time Group Policy was applied: 10/1/2008 at 10:03:05 AM
Group Policy was applied from: pcsspdx-mail.internal.paci fic-crest. com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
-------------------------- ---------- ---------- ------
Domain Users
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
OPERATIONS
Fortiva Supervision Reviewers
Group Policy Creator Owners
PORTLAND
Fortiva Archive Search Users
Fortiva Supervision report Users
Fortiva User Managers
Everybody
Fortiva Policy Managers
Fortiva Archive Discovery Users
ResearchBI
Rprivate
RESEARCH
BlackBerry Users
Fortiva Archive Disposition Users
Fortiva Archive Report Users
SalesBI
SalesMgmtBI
AAA PC HELP
OPERATIONS
PORTLAND
RESEARCH
Resultant Set Of Policies for User:
-------------------------- ----------
Software Installations
----------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
-------------------------- ---------- ----
GPO: Default Domain Policy
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: Pacific Crest Securities
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
-------------------------- --
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No
Internet Explorer URLs
----------------------
GPO: Default Domain Policy
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: Default Domain Policy
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
--------------------------
GPO: Default Domain Policy
Import the current Program Settings: No
I just posted at 10:39AM PDT that, here it is again in case I cut something out from the file. That and this is from my PC.
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 10/1/2008 at 10:47:30 AM
RSOP results for PCS-DOMAIN\jboro on PDX85G4G61 : Logging Mode
--------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming Profile:
Local Profile: C:\Documents and Settings\jboro.PCS-DOMAIN
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=PDX85G4G61,CN=Computers
Last time Group Policy was applied: 10/1/2008 at 10:01:19 AM
Group Policy was applied from: pcsspdx-mail.internal.paci
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PDX85G4G61$
Domain Computers
Resultant Set Of Policies for Computer:
--------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180
Audit Policy
------------
GPO: Default Domain Policy
Policy: AuditAccountLogon
Computer Setting: Failure
GPO: Default Domain Policy
Policy: AuditAccountManage
Computer Setting: Failure
GPO: Default Domain Policy
Policy: AuditLogonEvents
Computer Setting: Failure
User Rights
-----------
GPO: Default Domain Policy
Policy: TcbPrivilege
Computer Setting: PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
GPO: Default Domain Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Users
*S-1-5-32-549
PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
Everyone
Backup Operators
Administrators
GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Everyone
PCS-DOMAIN\Domain Users
Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=Joe Boro,CN=Users,DC=internal,
Last time Group Policy was applied: 10/1/2008 at 10:03:05 AM
Group Policy was applied from: pcsspdx-mail.internal.paci
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
--------------------------
Domain Users
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
OPERATIONS
Fortiva Supervision Reviewers
Group Policy Creator Owners
PORTLAND
Fortiva Archive Search Users
Fortiva Supervision report Users
Fortiva User Managers
Everybody
Fortiva Policy Managers
Fortiva Archive Discovery Users
ResearchBI
Rprivate
RESEARCH
BlackBerry Users
Fortiva Archive Disposition Users
Fortiva Archive Report Users
SalesBI
SalesMgmtBI
AAA PC HELP
OPERATIONS
PORTLAND
RESEARCH
Resultant Set Of Policies for User:
--------------------------
Software Installations
----------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
--------------------------
GPO: Default Domain Policy
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: Pacific Crest Securities
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
--------------------------
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No
Internet Explorer URLs
----------------------
GPO: Default Domain Policy
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: Default Domain Policy
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
--------------------------
GPO: Default Domain Policy
Import the current Program Settings: No
Ok good so security is no the problem
Now we have a GP that is set to take action fails to do so and security is not involved. Out of couriosity, will th epassword rules take affect doing the following?
1. Change users password on DC
2. Login to client attempt to change password.
You have minimum password age set to 90 days so it shouldn't let you change the password again. We're setting it on the DC so we can see if the DC is even forcing application locally for the password rules. If you've already tried that let us know the results.
Now we have a GP that is set to take action fails to do so and security is not involved. Out of couriosity, will th epassword rules take affect doing the following?
1. Change users password on DC
2. Login to client attempt to change password.
You have minimum password age set to 90 days so it shouldn't let you change the password again. We're setting it on the DC so we can see if the DC is even forcing application locally for the password rules. If you've already tried that let us know the results.
What happens if you set your account to require passwsord change at next logon? After logging in does it require a new password that meets the complexity requirements?
ASKER
GPRESULT -Z
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 10/1/2008 at 10:52:32 AM
RSOP results for PCS-DOMAIN\jboro on PDX85G4G61 : Logging Mode
--------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming Profile:
Local Profile: C:\Documents and Settings\jboro.PCS-DOMAIN
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=PDX85G4G61,CN=Computers
Last time Group Policy was applied: 10/1/2008 at 10:01:19 AM
Group Policy was applied from: pcsspdx-mail.internal.paci
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PDX85G4G61$
Domain Computers
Resultant Set Of Policies for Computer:
--------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 90
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 15
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180
Audit Policy
------------
GPO: Default Domain Policy
Policy: AuditAccountLogon
Computer Setting: Failure
GPO: Default Domain Policy
Policy: AuditAccountManage
Computer Setting: Failure
GPO: Default Domain Policy
Policy: AuditLogonEvents
Computer Setting: Failure
User Rights
-----------
GPO: Default Domain Policy
Policy: TcbPrivilege
Computer Setting: PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
GPO: Default Domain Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Users
*S-1-5-32-549
PCS-DOMAIN\Domain Users
PCS-DOMAIN\Domain Admins
Everyone
Backup Operators
Administrators
GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Everyone
PCS-DOMAIN\Domain Users
Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePasswo
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
USER SETTINGS
--------------
CN=Joe Boro,CN=Users,DC=internal,
Last time Group Policy was applied: 10/1/2008 at 10:03:05 AM
Group Policy was applied from: pcsspdx-mail.internal.paci
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
--------------------------
Domain Users
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
OPERATIONS
Fortiva Supervision Reviewers
Group Policy Creator Owners
PORTLAND
Fortiva Archive Search Users
Fortiva Supervision report Users
Fortiva User Managers
Everybody
Fortiva Policy Managers
Fortiva Archive Discovery Users
ResearchBI
Rprivate
RESEARCH
BlackBerry Users
Fortiva Archive Disposition Users
Fortiva Archive Report Users
SalesBI
SalesMgmtBI
AAA PC HELP
OPERATIONS
PORTLAND
RESEARCH
Resultant Set Of Policies for User:
--------------------------
Software Installations
----------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
--------------------------
GPO: Default Domain Policy
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: Pacific Crest Securities
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
--------------------------
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No
Internet Explorer URLs
----------------------
GPO: Default Domain Policy
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: Default Domain Policy
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
--------------------------
GPO: Default Domain Policy
Import the current Program Settings: No
I apologise because I didnt't read thoroughly all previously posted comments, but from what I understand, you are posting gpresult output from client computers? It does not matter which setting apply to clients, you should run gpresult on domain controller. This is where passwords are stored and changed. If your password policy does not apply to all domain controllers, you might have inconsistencies or password policy which does not apply at all.
Can you post gpresult from any DC?
Can you post gpresult from any DC?
I'm sorry did I say client? toniur is correct DC... sorry two different threads going. Also have a look at KB259576. I assume that the default domain policy is linked at the domain level and hasn't been moved somewhere else? This may cause DC's to ignore.
ASKER
OK here are the gpreult -v from the PDC. I haven't looked at it.
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Wednesday, October 01, 2008 at 11:38:32 AM
Operating System Information:
Operating System Type: Domain Controller
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Remote Administration
########################## ########## ########## ########## #######
User Group Policy results for:
CN=Administrator,CN=Users, DC=interna l,DC=pacif ic-crest,D C=com
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming profile: (None)
Local profile: C:\Documents and Settings\Administrator.PCS -DOMAIN
The user is a member of the following security groups:
PCS-DOMAIN\Domain Admins
\Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
PCS-DOMAIN\Group Policy Creator Owners
PCS-DOMAIN\Exchange Services
PCS-DOMAIN\Everybody
PCS-DOMAIN\IB PDX
PCS-DOMAIN\Exchange Domain Servers
PCS-DOMAIN\SMEX Admin Group
PCS-DOMAIN\TopTools
PCS-DOMAIN\Enterprise Admins
PCS-DOMAIN\Schema Admins
PCS-DOMAIN\Exchange Enterprise Servers
PCS-DOMAIN\DnsAdmins
The user has the following security privileges:
Act as part of the operating system
Generate security audits
Restore files and directories
Create a token object
Enable computer and user accounts to be trusted for delegation
Add workstations to domain
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Increase quotas
Remove computer from docking station
Impersonate a client after authentication
Create global objects
########################## ########## ########## ########## #######
Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:09:35 AM
Group Policy was applied from: pcsspdx-mail.internal.paci fic-crest. com
========================== ========== ========== ========== =======
The user received "Internet Explorer Branding" settings from these GPOs:
Default Domain Policy
Revision Number: 5
Unique Name: {31B2F340-016D-11D2-945F-0 0C04FB984F 9}
Domain Name: internal.pacific-crest.com
Linked to: Domain (DC=internal,DC=pacific-cr est,DC=com )
Additional information is not available for this type of policy setting.
########################## ########## ########## ########## #######
Computer Group Policy results for:
CN=PCSSPDX-MAIL,OU=Domain Controllers,DC=internal,DC =pacific-c rest,DC=co m
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PCS-DOMAIN\PCSSPDX-MAIL$
PCS-DOMAIN\Exchange Domain Servers
PCS-DOMAIN\Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
PCS-DOMAIN\Exchange Enterprise Servers
########################## ########## ########## ########## #######
Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:37:38 AM
Group Policy was applied from: pcsspdx-mail.internal.paci fic-crest. com
========================== ========== ========== ========== =======
The computer received "Registry" settings from these GPOs:
Local Group Policy
Revision Number: 6
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
The following settings were applied from: Local Group Policy
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS
ValueName: EFSBlob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\Certi ficates\38 5F0FCAC098 E47E47731F DD87D8AF8B 3F8B18D3
ValueName: Blob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\CRLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\CTLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
========================== ========== ========== ========== =======
The computer received "Security" settings from these GPOs:
Local Group Policy
Revision Number: 6
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Controllers Policy
Revision Number: 139
Unique Name: {6AC1786C-016F-11D2-945F-0 0C04fB984F 9}
Domain Name: INTERNAL.PACIFIC-CREST.COM
Linked to: Organizational Unit (OU=Domain Controllers,DC=internal,DC =pacific-c rest,DC=co m)
Run the Security Configuration Editor for more information.
========================== ========== ========== ========== =======
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Revision Number: 6
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Additional information is not available for this type of policy setting.
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Wednesday, October 01, 2008 at 11:38:32 AM
Operating System Information:
Operating System Type: Domain Controller
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Remote Administration
##########################
User Group Policy results for:
CN=Administrator,CN=Users,
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming profile: (None)
Local profile: C:\Documents and Settings\Administrator.PCS
The user is a member of the following security groups:
PCS-DOMAIN\Domain Admins
\Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
PCS-DOMAIN\Group Policy Creator Owners
PCS-DOMAIN\Exchange Services
PCS-DOMAIN\Everybody
PCS-DOMAIN\IB PDX
PCS-DOMAIN\Exchange Domain Servers
PCS-DOMAIN\SMEX Admin Group
PCS-DOMAIN\TopTools
PCS-DOMAIN\Enterprise Admins
PCS-DOMAIN\Schema Admins
PCS-DOMAIN\Exchange Enterprise Servers
PCS-DOMAIN\DnsAdmins
The user has the following security privileges:
Act as part of the operating system
Generate security audits
Restore files and directories
Create a token object
Enable computer and user accounts to be trusted for delegation
Add workstations to domain
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Increase quotas
Remove computer from docking station
Impersonate a client after authentication
Create global objects
##########################
Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:09:35 AM
Group Policy was applied from: pcsspdx-mail.internal.paci
==========================
The user received "Internet Explorer Branding" settings from these GPOs:
Default Domain Policy
Revision Number: 5
Unique Name: {31B2F340-016D-11D2-945F-0
Domain Name: internal.pacific-crest.com
Linked to: Domain (DC=internal,DC=pacific-cr
Additional information is not available for this type of policy setting.
##########################
Computer Group Policy results for:
CN=PCSSPDX-MAIL,OU=Domain Controllers,DC=internal,DC
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PCS-DOMAIN\PCSSPDX-MAIL$
PCS-DOMAIN\Exchange Domain Servers
PCS-DOMAIN\Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
PCS-DOMAIN\Exchange Enterprise Servers
##########################
Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:37:38 AM
Group Policy was applied from: pcsspdx-mail.internal.paci
==========================
The computer received "Registry" settings from these GPOs:
Local Group Policy
Revision Number: 6
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
The following settings were applied from: Local Group Policy
KeyName: Software\Policies\Microsof
ValueName: EFSBlob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof
ValueName: Blob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof
ValueName:
ValueType: REG_NONE
Value: This key contains no values
==========================
The computer received "Security" settings from these GPOs:
Local Group Policy
Revision Number: 6
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Controllers Policy
Revision Number: 139
Unique Name: {6AC1786C-016F-11D2-945F-0
Domain Name: INTERNAL.PACIFIC-CREST.COM
Linked to: Organizational Unit (OU=Domain Controllers,DC=internal,DC
Run the Security Configuration Editor for more information.
==========================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Revision Number: 6
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Additional information is not available for this type of policy setting.
ASKER
gpresult -z from the PDC
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Wednesday, October 01, 2008 at 11:40:19 AM
Operating System Information:
Operating System Type: Domain Controller
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Remote Administration
########################## ########## ########## ########## #######
User Group Policy results for:
CN=Administrator,CN=Users, DC=interna l,DC=pacif ic-crest,D C=com
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming profile: (None)
Local profile: C:\Documents and Settings\Administrator.PCS -DOMAIN
The user is a member of the following security groups:
PCS-DOMAIN\Domain Admins
\Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
PCS-DOMAIN\Group Policy Creator Owners
PCS-DOMAIN\Exchange Services
PCS-DOMAIN\Everybody
PCS-DOMAIN\IB PDX
PCS-DOMAIN\Exchange Domain Servers
PCS-DOMAIN\SMEX Admin Group
PCS-DOMAIN\TopTools
PCS-DOMAIN\Enterprise Admins
PCS-DOMAIN\Schema Admins
PCS-DOMAIN\Exchange Enterprise Servers
PCS-DOMAIN\DnsAdmins
########################## ########## ########## ########## #######
Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:09:35 AM
Group Policy was applied from: pcsspdx-mail.internal.paci fic-crest. com
========================== ========== ========== ========== =======
The user received "Internet Explorer Branding" settings from these GPOs:
Default Domain Policy
########################## ########## ########## ########## #######
Computer Group Policy results for:
CN=PCSSPDX-MAIL,OU=Domain Controllers,DC=internal,DC =pacific-c rest,DC=co m
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PCS-DOMAIN\PCSSPDX-MAIL$
PCS-DOMAIN\Exchange Domain Servers
PCS-DOMAIN\Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
PCS-DOMAIN\Exchange Enterprise Servers
########################## ########## ########## ########## #######
Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:37:38 AM
Group Policy was applied from: pcsspdx-mail.internal.paci fic-crest. com
========================== ========== ========== ========== =======
The computer received "Registry" settings from these GPOs:
Local Group Policy
========================== ========== ========== ========== =======
The computer received "Security" settings from these GPOs:
Local Group Policy
Default Domain Controllers Policy
========================== ========== ========== ========== =======
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Wednesday, October 01, 2008 at 11:40:19 AM
Operating System Information:
Operating System Type: Domain Controller
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Remote Administration
##########################
User Group Policy results for:
CN=Administrator,CN=Users,
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
Roaming profile: (None)
Local profile: C:\Documents and Settings\Administrator.PCS
The user is a member of the following security groups:
PCS-DOMAIN\Domain Admins
\Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
PCS-DOMAIN\Group Policy Creator Owners
PCS-DOMAIN\Exchange Services
PCS-DOMAIN\Everybody
PCS-DOMAIN\IB PDX
PCS-DOMAIN\Exchange Domain Servers
PCS-DOMAIN\SMEX Admin Group
PCS-DOMAIN\TopTools
PCS-DOMAIN\Enterprise Admins
PCS-DOMAIN\Schema Admins
PCS-DOMAIN\Exchange Enterprise Servers
PCS-DOMAIN\DnsAdmins
##########################
Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:09:35 AM
Group Policy was applied from: pcsspdx-mail.internal.paci
==========================
The user received "Internet Explorer Branding" settings from these GPOs:
Default Domain Policy
##########################
Computer Group Policy results for:
CN=PCSSPDX-MAIL,OU=Domain Controllers,DC=internal,DC
Domain Name: PCS-DOMAIN
Domain Type: Windows 2000
Site Name: PDX
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
PCS-DOMAIN\PCSSPDX-MAIL$
PCS-DOMAIN\Exchange Domain Servers
PCS-DOMAIN\Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
PCS-DOMAIN\Exchange Enterprise Servers
##########################
Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:37:38 AM
Group Policy was applied from: pcsspdx-mail.internal.paci
==========================
The computer received "Registry" settings from these GPOs:
Local Group Policy
==========================
The computer received "Security" settings from these GPOs:
Local Group Policy
Default Domain Controllers Policy
==========================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
horsewhite this is win2k so run it with gpresult -v see if the output looks differently.
ASKER
the 11:41AM posting is -v. Yes it is a mixed 2000/2003.
I read the kb259576 "The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container: " All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.) ". The account policies above are the only changes I made and am aware of. So if I understand this no linking is required. I made the changes in the AD users & computers -> properties -> group policy (Block Policy inheritance is NOT checked) -> default domain policy -> edit -> Windows Settings -> Security Settings -> Account Policy -> Password Policy & Account lockout Policy. No linking required correct?
I read the kb259576 "The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container: " All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.) ". The account policies above are the only changes I made and am aware of. So if I understand this no linking is required. I made the changes in the AD users & computers -> properties -> group policy (Block Policy inheritance is NOT checked) -> default domain policy -> edit -> Windows Settings -> Security Settings -> Account Policy -> Password Policy & Account lockout Policy. No linking required correct?
ASKER
upping the points...
The last 2 gpresult postings were from the PDC.
The last 2 gpresult postings were from the PDC.
Correct.
Can you set your user account to require a password change at next logon. Logout and back in attempt to reuse the same password again. Does it let you?
Can you set your user account to require a password change at next logon. Logout and back in attempt to reuse the same password again. Does it let you?
ASKER
"Can you set your user account to require a password change at next logon. Logout and back in attempt to reuse the same password again. Does it let you?"
Hmmm. I tried this earlier and it took 2 reboots for the dialog to come up to change the password. I didn't try just a logout.
I just now tried it again and after the first reboot like before no change passwd notice. On second try I got the dialog about "Your password must be 0 characters, cannot repeat any of your previous 1 passwords and must be at least 0 days old" So it seems some of it has been enabled. BUT I could us "aaa" as my new password and once in I could change it back to my old password.
Hmmm. I tried this earlier and it took 2 reboots for the dialog to come up to change the password. I didn't try just a logout.
I just now tried it again and after the first reboot like before no change passwd notice. On second try I got the dialog about "Your password must be 0 characters, cannot repeat any of your previous 1 passwords and must be at least 0 days old" So it seems some of it has been enabled. BUT I could us "aaa" as my new password and once in I could change it back to my old password.
ASKER
It appears my last posting didn't make it through...
Yes I tried this earlier today and it took 2 reboots (I didn't try just logging out, did a full reboot) and after the second reboot it made me change the password. I could change it to something that would have violated the new password rules. Once logged in I was able change the password back again.
I tried this again after seeing your posting. I set my account to require a password change next login. First reboot nothing, I logged in with my password. No warning or change required. After the second reboot I got the must change password dialog. I attempted to change it to a password less than required by the policy and got "Your password must be 0 characters, cannot repeat any of your previous 1 passwords and must be at least 0 days old". Once logged in no policy applied... eg I changed my password under the 90 days and under the complexity
From all I can see these policies should apply and from the last login it appears AD is "trying". Like I said earlier these changes where made over 12 hours ago well past the 90 minute default. I did a gpupdate last night. I shouldn't have to reboot the DC but I may try that next since it seems to fix and apply 95% of all other changes in Windows. I would really rather hear that I missed some small part of this as I would really like to start using GPO's to manage an otherwise unmanageable Wondows domain.
Yes I tried this earlier today and it took 2 reboots (I didn't try just logging out, did a full reboot) and after the second reboot it made me change the password. I could change it to something that would have violated the new password rules. Once logged in I was able change the password back again.
I tried this again after seeing your posting. I set my account to require a password change next login. First reboot nothing, I logged in with my password. No warning or change required. After the second reboot I got the must change password dialog. I attempted to change it to a password less than required by the policy and got "Your password must be 0 characters, cannot repeat any of your previous 1 passwords and must be at least 0 days old". Once logged in no policy applied... eg I changed my password under the 90 days and under the complexity
From all I can see these policies should apply and from the last login it appears AD is "trying". Like I said earlier these changes where made over 12 hours ago well past the 90 minute default. I did a gpupdate last night. I shouldn't have to reboot the DC but I may try that next since it seems to fix and apply 95% of all other changes in Windows. I would really rather hear that I missed some small part of this as I would really like to start using GPO's to manage an otherwise unmanageable Wondows domain.
Horsewhite,
Your on the right track GPO's are handy tools for managing your domain. There were quite a few issues with GP's on 2000 DC's (mainly since they were the same ADM files from 95...) but anyhow they should still be applying. It now looks more like a possible issue with AD itself and not the policy settings at all. I know some of this may be redundant or seem unimportant but it's the same steps that MS would have you pay $135 and at least we speak English...
Let's do the following to make sure the GP templates are healthy.
1. Open GPMC and highlight "Default Domain Policy"
2. Go to the "Details" tab and make sure the "User Version" matches in both locations (AD & SYSVOL)
3. Make sure that the "Computer Version" matches in both locations (AD & SYSVOL)
The version may not match each other (User vs Computer) since each module is updated and tracked seperately.
4. Back on the "Scope" tab who is listed in Security Filtering?
5. Under "Links" what location is listed? Is it Enforced? Path?
Another helpfull tool when troubleshooting GP or AD issues in general is Microsoft MPSreports. Lets go ahead and run these as well and post the zip file. Make sure and download the copy for Directory Services...
http://www.microsoft.com/d ownloads/d etails.asp x?familyid =cebf3c7c- 7ca5-408f- 88b7-f9c79 b7306c0&di splaylang= en
Your on the right track GPO's are handy tools for managing your domain. There were quite a few issues with GP's on 2000 DC's (mainly since they were the same ADM files from 95...) but anyhow they should still be applying. It now looks more like a possible issue with AD itself and not the policy settings at all. I know some of this may be redundant or seem unimportant but it's the same steps that MS would have you pay $135 and at least we speak English...
Let's do the following to make sure the GP templates are healthy.
1. Open GPMC and highlight "Default Domain Policy"
2. Go to the "Details" tab and make sure the "User Version" matches in both locations (AD & SYSVOL)
3. Make sure that the "Computer Version" matches in both locations (AD & SYSVOL)
The version may not match each other (User vs Computer) since each module is updated and tracked seperately.
4. Back on the "Scope" tab who is listed in Security Filtering?
5. Under "Links" what location is listed? Is it Enforced? Path?
Another helpfull tool when troubleshooting GP or AD issues in general is Microsoft MPSreports. Lets go ahead and run these as well and post the zip file. Make sure and download the copy for Directory Services...
http://www.microsoft.com/d
ASKER
All match
User version: 5 (AD), 5 (sysvol)
Computer version: 5 (AD), 5 (sysvol)
Authenticated Users
Domain Admins
Enterprise Admins
5. Under "Links" what location is listed? Is it Enforced? Path?
I'm not sure how to check if it is enforced and what the path is but under Links in the Display links in the location: our domain is listed.
I'm going through the MS reporting stuff now.
User version: 5 (AD), 5 (sysvol)
Computer version: 5 (AD), 5 (sysvol)
Authenticated Users
Domain Admins
Enterprise Admins
5. Under "Links" what location is listed? Is it Enforced? Path?
I'm not sure how to check if it is enforced and what the path is but under Links in the Display links in the location: our domain is listed.
I'm going through the MS reporting stuff now.
ASKER
Duh! I was looking right at it! Sorry busy morning...
As I said display link in this location has our domain listed internal.pacific-crest.com .
Under "The following site, domains, and OUs are linked to this GPO:"
Location Enforced Link Enabled Path
internal.pacific-crest.com No Yes internal.pacific-crest.com
Terminal Servers No Yes internal.pacific-crest.com
Do I need to enforce it?
Under Details GPO status is enabled.
As I said display link in this location has our domain listed internal.pacific-crest.com
Under "The following site, domains, and OUs are linked to this GPO:"
Location Enforced Link Enabled Path
internal.pacific-crest.com
Terminal Servers No Yes internal.pacific-crest.com
Do I need to enforce it?
Under Details GPO status is enabled.
Yes. Enforcing apolicy such as the default domain policy is a good idea. See http://www.microsoft.com/t echnet/pro dtechnol/w indows2000 serv/reski t/distrib/ dsec_pol_d yzr.mspx?m fr=true ans the note about limiting use. For this case I would say lets Enforce it.
ASKER
Enforcing did it. I overlooked that in the mix. I feel dumb but glad it is up and working. In addition to more research on AD & GP what more do I need to do to insure things are running smoothly?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help.
No problems. Iscapa knows his stuff.
Lol thanks I got some inside information while I was employeed in Directory Services at MS...
Hey Horsewhite, go ahead and close this one, be sure and give Iscapa the "A" grade!
ASKER
Hmmm it tells me that this Q has already been closed. I closed last week but I can see that it appears to still be open.
Okay, well now it shows an accepted solution. Oh well!
After you changed the policy, did you refresh the group policies? (gpupdate from the command line) as it can take 15 minutes for the policy to take affect sometimes.
Also, I am not certain, but I think if you change the policy on passwords, and users do not meet the new policies, that it will not force them to change their passwords. When they go to change the password, it should enforce the new policies though.