Solved

Account GPO Applied but not Working

Posted on 2008-10-01
37
1,919 Views
Last Modified: 2013-12-05
Hi,
I think this is an easy one, I hope anyway. I have set the following account policies in our Default Domain Policy. I expected nearly all of our users to be prompted to change their password (many have had the same simple password for years) but nada. I tried changing my own password to one that would not meet the complexity rule and could... Basicly none of the below has been enabled. What I'm I doing wrong?  What do I not understand?

Thanks.

********** Snipped from gpresult ****************************

 Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

 
        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  90

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            LockoutDuration
                Computer Setting:  15

            GPO: Default Domain Policy
                Policy:            ResetLockoutCount
                Computer Setting:  10

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  6

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  3

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  180

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Enabled
**************************************
0
Comment
Question by:horsewhite
  • 17
  • 12
  • 6
  • +2
37 Comments
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
Better would be for password complexity disabled, and minimum password length at 10.  But, that doesn't address the issue that you are having.
 
After you changed the policy, did you refresh the group  policies?  (gpupdate from the command line) as it can take 15 minutes for the policy to take affect sometimes.
Also, I am not certain, but I think if you change the policy on passwords, and users do not meet the new policies, that it will not force them to change their passwords.  When they go to change the password, it should enforce the new policies though.
0
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
To force password change after changing policy, here is a link to a script that can help you do that.
http://www.computerperformance.co.uk/vbscript/vbscript_pwdlastset.htm
0
 
LVL 4

Expert Comment

by:Dimarc67
Comment Utility
Horsewhite--

Some quick questions for you.  Apologies if any of these strike you as obvious or obtuse.
--Are you logging in with a domain account, or a local computer account?
The GPO will only apply to domain accounts.

--Have tried rebooting the client computer twice?
Some policies will not be fully applied until a domain client computer has been rebooted twice--once to receive the new policy, and the second time to apply it.  However, this is really for computer policies, not user policies like your password restrictions.

Ultimately, you can use the Group Policy Management Console ("GPMC") to determine if the policy is being applied to each your users' accounts when logging into their computers.  If the GPMC isn't in Administrative tools on your server, you can download it from Microsoft at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Install the GPMC, and open it.  Then on the left, right-click on Group Policy Results and select "Group Policy Results Wizard".  Use the wizard to select one of your domain computers, and then select one of the domain accounts found on that computer.  The results Summary will appear on the right, and allow you to check the "Component Status" of the user policies that have been applied, or failed to be applied.

Hope this helps.

Dimarc67
New York, NY
0
 

Author Comment

by:horsewhite
Comment Utility
I agree on the complexity .vs. 6 min length but it isn't up to me.

Yes, I refreshed via gpupdate. The gpresult shows they have been applied, I made the changes nearly 12 hours ago.

I tried changing my password from one that meets the complexity to one that didn't. It let me, it also let me change the password 3 or 4 times in a few minutes.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
can you post the following from a client?
gpresult /v > gp.txt & gp.txt
It will post to notepad and open it.
then run gpresult /z gp1.txt & gp1.txt
Lets see what's going on with the policy engine on the client.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Also do you have "Block Policy Inheritence" enabled anywhere in your domain?
0
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
A six character password can be broken by brute force in a couple of hours no matter how complex the password is.  A 10 character password will take years for a brute force attack to succeed.    256^6 is roughly 281 trillion possibilities;  256^10 is roughly 1,208,925,819,614 Trillion possibilities.  A ten character password using only upper and lower case and numbers -- 62^10th is About 3000 times more complex than a six character complex password.
0
 

Author Comment

by:horsewhite
Comment Utility
dimarc67

NP I don't mind making sure the obvious is taken care of. One thing I didn't point out is that I'm in the domain admin group.

Yes, using a domain account. Rebooted twice.

I used GPMC to see what is being applied and it is identical (as best I can see) to what comes from the gpresults that I posted. Doesn't the gpresult above show it has been applied?

I have looked at a few PCs and they have the same results.

GPMC Results less gui

Account Policies/Password Policy
Policy Setting Winning GPO
Enforce password history 1 passwords remembered Default Domain Policy
Maximum password age 180 days Default Domain Policy
Minimum password age 90 days Default Domain Policy
Minimum password length 6 characters Default Domain Policy
Password must meet complexity requirements Enabled Default Domain Policy
Store passwords using reversible encryption Disabled Default Domain Policy

Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 15 minutes Default Domain Policy
Account lockout threshold 3 invalid logon attempts Default Domain Policy
Reset account lockout counter after 10 minutes Default Domain Policy

If I look at the events I show that for this PC "Security policy in the Group policy objects has been applied successfully."

I also see in the Policy events an error for this same PC
"Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration."

But I don't see it for other PCs I have tried.
0
 

Author Comment

by:horsewhite
Comment Utility
iscapa

I don't think so, but I'll look again. Here is the full gpresult -v


Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 10/1/2008 at 8:57:54 AM



RSOP results for xxxxxxxxxxxxxxxxx on PDX85G4G61 : Logging Mode
---------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 PCS-DOMAIN
Domain Type:                 Windows 2000
Site Name:                   PDX
Roaming Profile:            
Local Profile:               C:\Documents and Settings\xxxxxx.PCS-DOMAIN
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=PDX85G4G61,CN=Computers,DC=internal,DC=pacific-crest,DC=com
    Last time Group Policy was applied: 10/1/2008 at 7:57:13 AM
    Group Policy was applied from:      pcsspdx-mail.internal.pacific-crest.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        PDX85G4G61$
        Domain Computers
       
    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  90

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            LockoutDuration
                Computer Setting:  15

            GPO: Default Domain Policy
                Policy:            ResetLockoutCount
                Computer Setting:  10

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  6

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  3

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  180

        Audit Policy
        ------------
            GPO: Default Domain Policy
                Policy:            AuditAccountLogon
                Computer Setting:  Failure

            GPO: Default Domain Policy
                Policy:            AuditAccountManage
                Computer Setting:  Failure

            GPO: Default Domain Policy
                Policy:            AuditLogonEvents
                Computer Setting:  Failure

        User Rights
        -----------
            GPO: Default Domain Policy
                Policy:            TcbPrivilege
                Computer Setting:  PCS-DOMAIN\Domain Users
                                   PCS-DOMAIN\Domain Admins
                                   
            GPO: Default Domain Policy
                Policy:            ChangeNotifyPrivilege
                Computer Setting:  Users
                                   *S-1-5-32-549
                                   PCS-DOMAIN\Domain Users
                                   PCS-DOMAIN\Domain Admins
                                   Everyone
                                   Backup Operators
                                   Administrators
                                   
            GPO: Default Domain Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Everyone
                                   PCS-DOMAIN\Domain Users
                                   
        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
    CN=Joe Boro,CN=Users,DC=internal,DC=pacific-crest,DC=com
    Last time Group Policy was applied: 10/1/2008 at 7:06:41 AM
    Group Policy was applied from:      pcsspdx-mail.internal.pacific-crest.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Debugger Users
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        OPERATIONS
        Fortiva Supervision Reviewers
        Group Policy Creator Owners
        PORTLAND
        Fortiva Archive Search Users
        Fortiva Supervision report Users
        Fortiva User Managers
        Everybody
        Fortiva Policy Managers
        Fortiva Archive Discovery Users
        ResearchBI
        Rprivate
        RESEARCH
        BlackBerry Users
        Fortiva Archive Disposition Users
        Fortiva Archive Report Users
        SalesBI
        SalesMgmtBI
        AAA PC HELP
        OPERATIONS
        PORTLAND
        RESEARCH
       
    Resultant Set Of Policies for User:
    ------------------------------------

        Software Installations
        ----------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            GPO: Default Domain Policy
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   Pacific Crest Securities
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      No

        Internet Explorer URLs
        ----------------------
            GPO: Default Domain Policy
                Home page URL:           N/A
                Search page URL:         N/A
                Online support page URL: N/A

        Internet Explorer Security
        --------------------------
            Always Viewable Sites:     N/A
            Password Override Enabled: False

            GPO: Default Domain Policy
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       No
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

        Internet Explorer Programs
        --------------------------
            GPO: Default Domain Policy
                Import the current Program Settings: No
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Horsewhite,
 
You need to post the gpresults because it also shows security issues that may be keeping the policy from applying. You already have the correct settings for enabling what you are after. We now need to look at WHY its not applying. 9/10 this is a security issue with the Group Policy Object or NTFS settings on the folder that is in sysvol. Either way we need to see the WHOLE OUTPUT from gpresult...
Namely something that looks like this:

Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Wireless Network Policy
       WSUS Office
        LocalADM
        Computing Devices
        WSUS Loc
        TIME-OLDDOMAIN
        IE
        Local Group Policy
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        -RIS GPO
            Filtering:  Disabled (GPO)
        -EmersonZones
            Filtering:  Disabled (GPO)
        Disable Outlook Junk Mail Filter
            Filtering:  Disabled (GPO)
    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        USSRM-31TJ1$
        USMTN-EAPOL_Computers
        Domain Computers
        USSTL-Wireless
        USMTN-EAPAuth
        RUCHE-VLAN-Emerson
        System Mandatory Level
         
0
 

Author Comment

by:horsewhite
Comment Utility
sstone
I agree about the 20 char passwd but I have to y=take the wins where I can. Just getting them to realize that password enforcement is important is all I can ask for right now. This is a very user coddling environment. With this change I get to not be responsible for keeping track of 125 plus users passwords for domian, IM, variuos web site, etc, etc, and be in trouble if they change a password someplace as well as change the email account the password reset goes to.
0
 

Author Comment

by:horsewhite
Comment Utility
iscapa
I just posted at 10:39AM PDT that, here it is again in case I cut something out from the file. That and this  is from my PC.


Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 10/1/2008 at 10:47:30 AM



RSOP results for PCS-DOMAIN\jboro on PDX85G4G61 : Logging Mode
---------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 PCS-DOMAIN
Domain Type:                 Windows 2000
Site Name:                   PDX
Roaming Profile:            
Local Profile:               C:\Documents and Settings\jboro.PCS-DOMAIN
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=PDX85G4G61,CN=Computers,DC=internal,DC=pacific-crest,DC=com
    Last time Group Policy was applied: 10/1/2008 at 10:01:19 AM
    Group Policy was applied from:      pcsspdx-mail.internal.pacific-crest.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        PDX85G4G61$
        Domain Computers
       
    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  90

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            LockoutDuration
                Computer Setting:  15

            GPO: Default Domain Policy
                Policy:            ResetLockoutCount
                Computer Setting:  10

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  6

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  3

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  180

        Audit Policy
        ------------
            GPO: Default Domain Policy
                Policy:            AuditAccountLogon
                Computer Setting:  Failure

            GPO: Default Domain Policy
                Policy:            AuditAccountManage
                Computer Setting:  Failure

            GPO: Default Domain Policy
                Policy:            AuditLogonEvents
                Computer Setting:  Failure

        User Rights
        -----------
            GPO: Default Domain Policy
                Policy:            TcbPrivilege
                Computer Setting:  PCS-DOMAIN\Domain Users
                                   PCS-DOMAIN\Domain Admins
                                   
            GPO: Default Domain Policy
                Policy:            ChangeNotifyPrivilege
                Computer Setting:  Users
                                   *S-1-5-32-549
                                   PCS-DOMAIN\Domain Users
                                   PCS-DOMAIN\Domain Admins
                                   Everyone
                                   Backup Operators
                                   Administrators
                                   
            GPO: Default Domain Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Everyone
                                   PCS-DOMAIN\Domain Users
                                   
        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
    CN=Joe Boro,CN=Users,DC=internal,DC=pacific-crest,DC=com
    Last time Group Policy was applied: 10/1/2008 at 10:03:05 AM
    Group Policy was applied from:      pcsspdx-mail.internal.pacific-crest.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Debugger Users
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        OPERATIONS
        Fortiva Supervision Reviewers
        Group Policy Creator Owners
        PORTLAND
        Fortiva Archive Search Users
        Fortiva Supervision report Users
        Fortiva User Managers
        Everybody
        Fortiva Policy Managers
        Fortiva Archive Discovery Users
        ResearchBI
        Rprivate
        RESEARCH
        BlackBerry Users
        Fortiva Archive Disposition Users
        Fortiva Archive Report Users
        SalesBI
        SalesMgmtBI
        AAA PC HELP
        OPERATIONS
        PORTLAND
        RESEARCH
       
    Resultant Set Of Policies for User:
    ------------------------------------

        Software Installations
        ----------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            GPO: Default Domain Policy
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   Pacific Crest Securities
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      No

        Internet Explorer URLs
        ----------------------
            GPO: Default Domain Policy
                Home page URL:           N/A
                Search page URL:         N/A
                Online support page URL: N/A

        Internet Explorer Security
        --------------------------
            Always Viewable Sites:     N/A
            Password Override Enabled: False

            GPO: Default Domain Policy
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       No
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

        Internet Explorer Programs
        --------------------------
            GPO: Default Domain Policy
                Import the current Program Settings: No
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Ok good so security is no the problem
Now we have a GP that is set to take action fails to do so and security is not involved. Out of couriosity, will th epassword rules take affect doing the following?
1. Change users password on DC
2. Login to client attempt to change password.
You have minimum password age set to 90 days so it shouldn't let you change the password again. We're setting it on the DC so we can see if the DC is even forcing application locally for the password rules. If you've already tried that let us know the results.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
What happens if you set your account to require passwsord change at next logon? After logging in does it require a new password that meets the complexity requirements?
0
 

Author Comment

by:horsewhite
Comment Utility

GPRESULT -Z

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 10/1/2008 at 10:52:32 AM



RSOP results for PCS-DOMAIN\jboro on PDX85G4G61 : Logging Mode
---------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 PCS-DOMAIN
Domain Type:                 Windows 2000
Site Name:                   PDX
Roaming Profile:            
Local Profile:               C:\Documents and Settings\jboro.PCS-DOMAIN
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=PDX85G4G61,CN=Computers,DC=internal,DC=pacific-crest,DC=com
    Last time Group Policy was applied: 10/1/2008 at 10:01:19 AM
    Group Policy was applied from:      pcsspdx-mail.internal.pacific-crest.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        PDX85G4G61$
        Domain Computers
       
    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  90

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            LockoutDuration
                Computer Setting:  15

            GPO: Default Domain Policy
                Policy:            ResetLockoutCount
                Computer Setting:  10

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  6

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  3

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  180

        Audit Policy
        ------------
            GPO: Default Domain Policy
                Policy:            AuditAccountLogon
                Computer Setting:  Failure

            GPO: Default Domain Policy
                Policy:            AuditAccountManage
                Computer Setting:  Failure

            GPO: Default Domain Policy
                Policy:            AuditLogonEvents
                Computer Setting:  Failure

        User Rights
        -----------
            GPO: Default Domain Policy
                Policy:            TcbPrivilege
                Computer Setting:  PCS-DOMAIN\Domain Users
                                   PCS-DOMAIN\Domain Admins
                                   
            GPO: Default Domain Policy
                Policy:            ChangeNotifyPrivilege
                Computer Setting:  Users
                                   *S-1-5-32-549
                                   PCS-DOMAIN\Domain Users
                                   PCS-DOMAIN\Domain Admins
                                   Everyone
                                   Backup Operators
                                   Administrators
                                   
            GPO: Default Domain Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Everyone
                                   PCS-DOMAIN\Domain Users
                                   
        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
    CN=Joe Boro,CN=Users,DC=internal,DC=pacific-crest,DC=com
    Last time Group Policy was applied: 10/1/2008 at 10:03:05 AM
    Group Policy was applied from:      pcsspdx-mail.internal.pacific-crest.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Debugger Users
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        OPERATIONS
        Fortiva Supervision Reviewers
        Group Policy Creator Owners
        PORTLAND
        Fortiva Archive Search Users
        Fortiva Supervision report Users
        Fortiva User Managers
        Everybody
        Fortiva Policy Managers
        Fortiva Archive Discovery Users
        ResearchBI
        Rprivate
        RESEARCH
        BlackBerry Users
        Fortiva Archive Disposition Users
        Fortiva Archive Report Users
        SalesBI
        SalesMgmtBI
        AAA PC HELP
        OPERATIONS
        PORTLAND
        RESEARCH
       
    Resultant Set Of Policies for User:
    ------------------------------------

        Software Installations
        ----------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            GPO: Default Domain Policy
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   Pacific Crest Securities
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      No

        Internet Explorer URLs
        ----------------------
            GPO: Default Domain Policy
                Home page URL:           N/A
                Search page URL:         N/A
                Online support page URL: N/A

        Internet Explorer Security
        --------------------------
            Always Viewable Sites:     N/A
            Password Override Enabled: False

            GPO: Default Domain Policy
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       No
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

        Internet Explorer Programs
        --------------------------
            GPO: Default Domain Policy
                Import the current Program Settings: No
0
 
LVL 31

Expert Comment

by:Toni Uranjek
Comment Utility
I apologise because I didnt't read thoroughly all previously posted comments, but from what I understand, you are posting gpresult output from client computers? It does not matter which setting apply to clients, you should run gpresult on domain controller. This is where passwords are stored and changed. If your password policy does not apply to all domain controllers, you might have inconsistencies or password policy which does not apply at all.

Can you post gpresult from any DC?
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
I'm sorry did I say client? toniur is correct DC... sorry two different threads going. Also have a look at KB259576. I assume that the default domain policy is linked at the domain level and hasn't been moved somewhere else? This may cause DC's to ignore.
0
 

Author Comment

by:horsewhite
Comment Utility
OK here are the gpreult -v from the PDC. I haven't looked at it.

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Wednesday, October 01, 2008 at 11:38:32 AM


Operating System Information:

Operating System Type:            Domain Controller
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Remote Administration

###############################################################

  User Group Policy results for:

  CN=Administrator,CN=Users,DC=internal,DC=pacific-crest,DC=com

  Domain Name:            PCS-DOMAIN
  Domain Type:            Windows 2000
  Site Name:            PDX

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\Administrator.PCS-DOMAIN

  The user is a member of the following security groups:

      PCS-DOMAIN\Domain Admins
      \Everyone
      BUILTIN\Administrators
      BUILTIN\Users
      BUILTIN\Pre-Windows 2000 Compatible Access
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      PCS-DOMAIN\Group Policy Creator Owners
      PCS-DOMAIN\Exchange Services
      PCS-DOMAIN\Everybody
      PCS-DOMAIN\IB PDX
      PCS-DOMAIN\Exchange Domain Servers
      PCS-DOMAIN\SMEX Admin Group
      PCS-DOMAIN\TopTools
      PCS-DOMAIN\Enterprise Admins
      PCS-DOMAIN\Schema Admins
      PCS-DOMAIN\Exchange Enterprise Servers
      PCS-DOMAIN\DnsAdmins

  The user has the following security privileges:

      Act as part of the operating system
      Generate security audits
      Restore files and directories
      Create a token object
      Enable computer and user accounts to be trusted for delegation
      Add workstations to domain
      Bypass traverse checking
      Manage auditing and security log
      Back up files and directories
      Change the system time
      Shut down the system
      Force shutdown from a remote system
      Take ownership of files or other objects
      Debug programs
      Modify firmware environment values
      Profile system performance
      Profile single process
      Increase scheduling priority
      Load and unload device drivers
      Create a pagefile
      Increase quotas
      Remove computer from docking station
      Impersonate a client after authentication
      Create global objects


###############################################################

Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:09:35 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

      Default Domain Policy
          Revision Number:      5
          Unique Name:      {31B2F340-016D-11D2-945F-00C04FB984F9}
          Domain Name:      internal.pacific-crest.com
          Linked to:            Domain (DC=internal,DC=pacific-crest,DC=com)


      Additional information is not available for this type of policy setting.



###############################################################

  Computer Group Policy results for:

  CN=PCSSPDX-MAIL,OU=Domain Controllers,DC=internal,DC=pacific-crest,DC=com

  Domain Name:            PCS-DOMAIN
  Domain Type:            Windows 2000
  Site Name:            PDX


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      BUILTIN\Pre-Windows 2000 Compatible Access
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      PCS-DOMAIN\PCSSPDX-MAIL$
      PCS-DOMAIN\Exchange Domain Servers
      PCS-DOMAIN\Domain Controllers
      NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
      PCS-DOMAIN\Exchange Enterprise Servers

###############################################################

Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:37:38 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
          Revision Number:      6
          Unique Name:      Local Group Policy
          Domain Name:      
          Linked to:            Local computer




      The following settings were applied from: Local Group Policy

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS
          ValueName:      EFSBlob
          ValueType:      REG_BINARY
          Value:      Binary data.  Use the /S switch to display.

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\Certificates\385F0FCAC098E47E47731FDD87D8AF8B3F8B18D3
          ValueName:      Blob
          ValueType:      REG_BINARY
          Value:      Binary data.  Use the /S switch to display.

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
          Revision Number:      6
          Unique Name:      Local Group Policy
          Domain Name:      
          Linked to:            Local computer

      Default Domain Controllers Policy
          Revision Number:      139
          Unique Name:      {6AC1786C-016F-11D2-945F-00C04fB984F9}
          Domain Name:      INTERNAL.PACIFIC-CREST.COM
          Linked to:            Organizational Unit (OU=Domain Controllers,DC=internal,DC=pacific-crest,DC=com)


      Run the Security Configuration Editor for more information.


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
          Revision Number:      6
          Unique Name:      Local Group Policy
          Domain Name:      
          Linked to:            Local computer


      Additional information is not available for this type of policy setting.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:horsewhite
Comment Utility
gpresult -z from the PDC


Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Wednesday, October 01, 2008 at 11:40:19 AM


Operating System Information:

Operating System Type:            Domain Controller
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Remote Administration

###############################################################

  User Group Policy results for:

  CN=Administrator,CN=Users,DC=internal,DC=pacific-crest,DC=com

  Domain Name:            PCS-DOMAIN
  Domain Type:            Windows 2000
  Site Name:            PDX

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\Administrator.PCS-DOMAIN

  The user is a member of the following security groups:

      PCS-DOMAIN\Domain Admins
      \Everyone
      BUILTIN\Administrators
      BUILTIN\Users
      BUILTIN\Pre-Windows 2000 Compatible Access
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      PCS-DOMAIN\Group Policy Creator Owners
      PCS-DOMAIN\Exchange Services
      PCS-DOMAIN\Everybody
      PCS-DOMAIN\IB PDX
      PCS-DOMAIN\Exchange Domain Servers
      PCS-DOMAIN\SMEX Admin Group
      PCS-DOMAIN\TopTools
      PCS-DOMAIN\Enterprise Admins
      PCS-DOMAIN\Schema Admins
      PCS-DOMAIN\Exchange Enterprise Servers
      PCS-DOMAIN\DnsAdmins


###############################################################

Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:09:35 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

      Default Domain Policy



###############################################################

  Computer Group Policy results for:

  CN=PCSSPDX-MAIL,OU=Domain Controllers,DC=internal,DC=pacific-crest,DC=com

  Domain Name:            PCS-DOMAIN
  Domain Type:            Windows 2000
  Site Name:            PDX


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      BUILTIN\Pre-Windows 2000 Compatible Access
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      PCS-DOMAIN\PCSSPDX-MAIL$
      PCS-DOMAIN\Exchange Domain Servers
      PCS-DOMAIN\Domain Controllers
      NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
      PCS-DOMAIN\Exchange Enterprise Servers

###############################################################

Last time Group Policy was applied: Wednesday, October 01, 2008 at 11:37:38 AM
Group Policy was applied from: pcsspdx-mail.internal.pacific-crest.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Controllers Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy

0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
horsewhite this is win2k so run it with gpresult -v see if the output looks differently.
0
 

Author Comment

by:horsewhite
Comment Utility
the 11:41AM posting is -v. Yes it is a mixed 2000/2003.

I read the kb259576 "The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container: " All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.) ". The account policies above are the only changes I made and am aware of. So if I understand this no linking is required. I made the changes in the AD users & computers -> properties -> group policy (Block Policy inheritance is NOT checked) -> default domain policy -> edit -> Windows Settings -> Security Settings -> Account Policy -> Password Policy & Account lockout Policy. No linking required correct?
0
 

Author Comment

by:horsewhite
Comment Utility
upping the points...

The last 2 gpresult postings were from the PDC.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Correct.
Can you set your user account to require a password change at next logon. Logout and back in attempt to reuse the same password again. Does it let you?
0
 

Author Comment

by:horsewhite
Comment Utility
"Can you set your user account to require a password change at next logon. Logout and back in attempt to reuse the same password again. Does it let you?"

Hmmm. I tried this earlier and it took 2 reboots for the dialog to come up to change the password. I didn't try just a logout.
I just now tried it again and after the first reboot like before no change passwd notice. On second try I got the dialog about "Your password must be 0 characters, cannot repeat any of your previous 1 passwords and must be at least 0 days old" So it seems some of it has been enabled. BUT I could us "aaa" as my new password and once in I could change it back to my old password.
0
 

Author Comment

by:horsewhite
Comment Utility
It appears my last posting didn't make it through...

Yes I tried this earlier today and it took 2 reboots (I didn't try just logging out, did a full reboot) and after the second reboot it made me change the password. I could change it to something that would have violated the new password rules. Once logged in I was able change the password back again.

I tried this again after seeing your posting. I set my account to require a password change next login. First reboot nothing, I logged in with my password. No warning or change required. After the second reboot I got the must change password dialog. I attempted to change it to a password less than required by the policy and got "Your password must be 0 characters, cannot repeat any of your previous 1 passwords and must be at least 0 days old". Once logged in no policy applied... eg I changed my password under the 90 days and under the complexity

From all I can see these policies should apply and from the last login it appears AD is "trying". Like I said earlier these changes where made over 12 hours ago well past the 90 minute default. I did a gpupdate last night. I shouldn't have to reboot the DC but I may try that next since it seems to fix and apply 95% of all other changes in Windows.  I would really rather hear that I missed some small part of this as I would really like to start using GPO's to manage an otherwise unmanageable Wondows domain.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Horsewhite,
Your on the right track GPO's are handy tools for managing your domain. There were quite a few issues with GP's on 2000 DC's (mainly since they were the same ADM files from 95...) but anyhow they should still be applying. It now looks more like a possible issue with AD itself and not the policy settings at all. I know some of this may be redundant or seem unimportant but it's the same steps that MS would have you pay $135 and at least we speak English...
Let's do the following to make sure the GP templates are healthy.
1. Open GPMC and highlight "Default Domain Policy"
2. Go to the "Details" tab and make sure the "User Version" matches in both locations (AD & SYSVOL)
3. Make sure that the "Computer Version" matches in both locations (AD & SYSVOL)
The version may not match each other (User vs Computer) since each module is updated and tracked seperately.
4. Back on the "Scope" tab who is listed in Security Filtering?
5. Under "Links" what location is listed? Is it Enforced? Path?
Another helpfull tool when troubleshooting GP or AD issues in general is Microsoft MPSreports. Lets go ahead and run these as well and post the zip file. Make sure and download the copy for Directory Services...
http://www.microsoft.com/downloads/details.aspx?familyid=cebf3c7c-7ca5-408f-88b7-f9c79b7306c0&displaylang=en
 
0
 

Author Comment

by:horsewhite
Comment Utility
All match
User version:         5 (AD), 5 (sysvol)
Computer version: 5 (AD), 5 (sysvol)

Authenticated Users
Domain Admins
Enterprise Admins

5. Under "Links" what location is listed? Is it Enforced? Path?
I'm not sure how to check if it is enforced and what the path is but under Links in the Display links in the location: our domain is listed.

I'm going through the MS reporting stuff now.
0
 

Author Comment

by:horsewhite
Comment Utility
Duh! I was looking right at it! Sorry busy morning...
As I said display link in this location has our domain listed internal.pacific-crest.com.

Under "The following site, domains, and OUs are linked to this GPO:"
Location                               Enforced               Link Enabled                         Path
internal.pacific-crest.com      No                        Yes                                       internal.pacific-crest.com
Terminal Servers                   No                        Yes                                       internal.pacific-crest.com

Do I need to enforce it?

Under Details GPO status is enabled.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Yes. Enforcing apolicy such as the default domain policy is a good idea. See http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsec_pol_dyzr.mspx?mfr=true ans the note about limiting use. For this case I would say lets Enforce it.
0
 

Author Comment

by:horsewhite
Comment Utility
Enforcing did it. I overlooked that in the mix. I feel dumb but glad it is up and working. In addition to more research on AD & GP what more do I need to do to insure things are running smoothly?
0
 
LVL 4

Accepted Solution

by:
lscapa earned 250 total points
Comment Utility
Look over the MPS reports they are a great troubleshooting aid especially for wierd issues. Reading up on the GPO rules of application to and from DC/client will really make things easier. Make sure you follow MS's best practises and the like. Even if it sounds dumb there is a reason. Like if you have one DC get a second one. That way if one fails you'll still be ok. If you have two DC's have them look at each other for DNS instead of themselves... that last one will save you tons of trouble later. And lastly, if you can spare some disk space replicate your enviroment for testing and the likes...
0
 

Author Comment

by:horsewhite
Comment Utility
Thanks for the help.
0
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
No problems.  Iscapa knows his stuff.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
Lol thanks I got some inside information while I was employeed in Directory Services at MS...
0
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
Hey Horsewhite, go ahead and close this one, be sure and give Iscapa the "A" grade!
0
 

Author Comment

by:horsewhite
Comment Utility
Hmmm it tells me that this Q has already been closed. I closed last week but I can see that it appears to still be open.
0
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
Okay, well now it shows an accepted solution.  Oh well!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now