Default domain policy unlinked accidentally -- damage control
Hello Experts,
One of the system admins in the enterprise unlinked the default domain policy that controls how many passwords are remembered, password complexity, etc... It was turned off for almost 30 days, and was just turned back on yesterday.
I was asked to perform damage control and let the enterprise manager know what impact this will have on the environment. Will the AD "forget" previous passwords?
Please see the settings of the GPO and let me know your thoughts, I just copied and pasted the output, so it's a bit difficult to read, sorry & thanks!
Group Policy Management
Default Domain Policy
Data collected on: 9/1/2010 9:25:58 AM hide all
Created 1/26/2006 8:49:12 AM
Modified 8/31/2010 5:36:20 PM
User Revisions 35 (AD), 35 (sysvol)
Computer Revisions 104 (AD), 104 (sysvol)
Unique ID
GPO Status Enabled
Location Enforced Link Status Path
This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users
WMI Filteringhide
WMI Filter Name None
Description Not applicable
Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
XXX\Domain Admins Edit settings, delete, modify security No
XXX\Enterprise Admins Edit settings, delete, modify security No
Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Account Policies/Password Policyhide
Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 180 days
Minimum password age 0 days
Minimum password length 10 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
Account Policies/Account Lockout Policyhide
Policy Setting
Account lockout duration 30 minutes
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 30 minutes
Account Policies/Kerberos Policyhide
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
Local Policies/Security Optionshide
Network Securityhide
Policy Setting
Network security: Force logoff when logon hours expire Disabled
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Enabled
Update certificates that use certificate templates Enabled
Public Key Policies/Encrypting File Systemhide
Propertieshide
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled
Certificateshide
Issued To Issued By Expiration Date Intended Purposes
For additional information about individual settings, launch Group Policy Object Editor.
Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
Administrative Templateshide
Windows Components/Windows Updatehide
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 03:00
Policy Setting
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://updateserver.xxx.edu
Set the intranet statistics server: http://updateserver.xxx.edu
(example: http://IntranetUpd01)
User Configuration (Enabled)hide
Windows Settingshide
Remote Installation Serviceshide
Client Installation Wizard optionshide
Policy Setting
Custom Setup Disabled
Restart Setup Disabled
Tools Disabled
Security Settingshide
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Enabled
Update certificates that use certificate templates Enabled
Internet Explorer Maintenancehide
Security/Security Zones and Content Ratingshide
Security Zones and Privacy (Enhanced Security Configuration Enabled)hide
These settings will only apply to users when they log on to computers that have the Internet Explorer Enhanced Security Configuration enabled.Internet (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Enable
Run components signed with Authenticode Enable
ActiveX controls and plug-insDownload signed ActiveX controls Disable
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Disable
Script ActiveX controls marked safe for scripting Disable
DownloadsFile download Disable
Font download Prompt
Microsoft VMJava permissions Disable Java
MiscellaneousAccess data sources across domains Disable
Allow META REFRESH Disable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable
Drag and drop or copy and paste files Prompt
Installation of desktop items Disable
Launching applications and unsafe files Prompt
Launching programs and files in an IFRAME Disable
Navigate sub-frames across different domains Disable
Software channel permissions High safety
Submit nonencrypted form data Prompt
Userdata persistence Disable
ScriptingActive scripting Disable
Allow paste operations via script Disable
Scripting of Java applets Disable
User AuthenticationLogon Prompt for user name and password
Local intranet (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Enable
Run components signed with Authenticode Enable
ActiveX controls and plug-insDownload signed ActiveX controls Prompt
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Enable
Script ActiveX controls marked safe for scripting Enable
DownloadsFile download Enable
Font download Enable
Microsoft VMJava permissions Medium safety
MiscellaneousAccess data sources across domains Prompt
Allow META REFRESH Enable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Enable
Drag and drop or copy and paste files Enable
Installation of desktop items Prompt
Launching applications and unsafe files Enable
Launching programs and files in an IFRAME Prompt
Navigate sub-frames across different domains Enable
Software channel permissions Medium safety
Submit nonencrypted form data Enable
Userdata persistence Enable
ScriptingActive scripting Enable
Allow paste operations via script Enable
Scripting of Java applets Enable
User AuthenticationLogon Automatic logon only in Intranet zone
SitesRequire server verification (https:) for all sites in this zone Disabled
Include all local (intranet) sites not listed in other zones Disabled
Include all sites that bypass the proxy server Disabled
Include all network paths (UNCs) Disabled
Sites in this zone
hcp:////system/
http://localhost/
https://localhost/
Trusted sites (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Enable
Run components signed with Authenticode Enable
ActiveX controls and plug-insDownload signed ActiveX controls Prompt
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Enable
Script ActiveX controls marked safe for scripting Enable
DownloadsFile download Enable
Font download Enable
Microsoft VMJava permissions High safety
MiscellaneousAccess data sources across domains Disable
Allow META REFRESH Enable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable
Drag and drop or copy and paste files Enable
Installation of desktop items Prompt
Launching applications and unsafe files Prompt
Launching programs and files in an IFRAME Prompt
Navigate sub-frames across different domains Enable
Software channel permissions Medium safety
Submit nonencrypted form data Enable
Userdata persistence Enable
ScriptingActive scripting Enable
Allow paste operations via script Enable
Scripting of Java applets Enable
User AuthenticationLogon Automatic logon only in Intranet zone
SitesRequire server verification (https:) for all sites in this zone Disabled
Sites in this zone
about://*.security_mmc.exe
http://*.update.microsoft.com/
http://*.windowsupdate.com/
http://*.windowsupdate.microsoft.com/
http://go.microsoft.com/
http://msdn.microsoft.com/
http://oca.microsoft.com/
http://support.microsoft.com/
http://technet.microsoft.com/
http://windowsupdate.microsoft.com/
http://www.microsoft.com/
https://*.update.microsoft.com/
https://*.windowsupdate.microsoft.com/
https://oca.microsoft.com/
https://windowsupdate.microsoft.com/
Restricted sites (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Disable
Run components signed with Authenticode Disable
ActiveX controls and plug-insDownload signed ActiveX controls Disable
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Disable
Script ActiveX controls marked safe for scripting Disable
DownloadsFile download Disable
Font download Prompt
Microsoft VMJava permissions Disable Java
MiscellaneousAccess data sources across domains Disable
Allow META REFRESH Disable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable
Drag and drop or copy and paste files Prompt
Installation of desktop items Disable
Launching applications and unsafe files Disable
Launching programs and files in an IFRAME Disable
Navigate sub-frames across different domains Disable
Software channel permissions High safety
Submit nonencrypted form data Prompt
Userdata persistence Disable
ScriptingActive scripting Disable
Allow paste operations via script Disable
Scripting of Java applets Disable
User AuthenticationLogon Prompt for user name and password
SitesSites in this zone
None
Privacyhide
Privacy Level Medium
Web Sites
Always allow None
Always block None
One of the system admins in the enterprise unlinked the default domain policy that controls how many passwords are remembered, password complexity, etc... It was turned off for almost 30 days, and was just turned back on yesterday.
I was asked to perform damage control and let the enterprise manager know what impact this will have on the environment. Will the AD "forget" previous passwords?
Please see the settings of the GPO and let me know your thoughts, I just copied and pasted the output, so it's a bit difficult to read, sorry & thanks!
Group Policy Management
Default Domain Policy
Data collected on: 9/1/2010 9:25:58 AM hide all
Created 1/26/2006 8:49:12 AM
Modified 8/31/2010 5:36:20 PM
User Revisions 35 (AD), 35 (sysvol)
Computer Revisions 104 (AD), 104 (sysvol)
Unique ID
GPO Status Enabled
Location Enforced Link Status Path
This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users
WMI Filteringhide
WMI Filter Name None
Description Not applicable
Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
XXX\Domain Admins Edit settings, delete, modify security No
XXX\Enterprise Admins Edit settings, delete, modify security No
Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Account Policies/Password Policyhide
Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 180 days
Minimum password age 0 days
Minimum password length 10 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
Account Policies/Account Lockout Policyhide
Policy Setting
Account lockout duration 30 minutes
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 30 minutes
Account Policies/Kerberos Policyhide
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
Local Policies/Security Optionshide
Network Securityhide
Policy Setting
Network security: Force logoff when logon hours expire Disabled
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Enabled
Update certificates that use certificate templates Enabled
Public Key Policies/Encrypting File Systemhide
Propertieshide
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled
Certificateshide
Issued To Issued By Expiration Date Intended Purposes
For additional information about individual settings, launch Group Policy Object Editor.
Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
Administrative Templateshide
Windows Components/Windows Updatehide
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 03:00
Policy Setting
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://updateserver.xxx.edu
Set the intranet statistics server: http://updateserver.xxx.edu
(example: http://IntranetUpd01)
User Configuration (Enabled)hide
Windows Settingshide
Remote Installation Serviceshide
Client Installation Wizard optionshide
Policy Setting
Custom Setup Disabled
Restart Setup Disabled
Tools Disabled
Security Settingshide
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Enabled
Update certificates that use certificate templates Enabled
Internet Explorer Maintenancehide
Security/Security Zones and Content Ratingshide
Security Zones and Privacy (Enhanced Security Configuration Enabled)hide
These settings will only apply to users when they log on to computers that have the Internet Explorer Enhanced Security Configuration enabled.Internet (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Enable
Run components signed with Authenticode Enable
ActiveX controls and plug-insDownload signed ActiveX controls Disable
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Disable
Script ActiveX controls marked safe for scripting Disable
DownloadsFile download Disable
Font download Prompt
Microsoft VMJava permissions Disable Java
MiscellaneousAccess data sources across domains Disable
Allow META REFRESH Disable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable
Drag and drop or copy and paste files Prompt
Installation of desktop items Disable
Launching applications and unsafe files Prompt
Launching programs and files in an IFRAME Disable
Navigate sub-frames across different domains Disable
Software channel permissions High safety
Submit nonencrypted form data Prompt
Userdata persistence Disable
ScriptingActive scripting Disable
Allow paste operations via script Disable
Scripting of Java applets Disable
User AuthenticationLogon Prompt for user name and password
Local intranet (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Enable
Run components signed with Authenticode Enable
ActiveX controls and plug-insDownload signed ActiveX controls Prompt
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Enable
Script ActiveX controls marked safe for scripting Enable
DownloadsFile download Enable
Font download Enable
Microsoft VMJava permissions Medium safety
MiscellaneousAccess data sources across domains Prompt
Allow META REFRESH Enable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Enable
Drag and drop or copy and paste files Enable
Installation of desktop items Prompt
Launching applications and unsafe files Enable
Launching programs and files in an IFRAME Prompt
Navigate sub-frames across different domains Enable
Software channel permissions Medium safety
Submit nonencrypted form data Enable
Userdata persistence Enable
ScriptingActive scripting Enable
Allow paste operations via script Enable
Scripting of Java applets Enable
User AuthenticationLogon Automatic logon only in Intranet zone
SitesRequire server verification (https:) for all sites in this zone Disabled
Include all local (intranet) sites not listed in other zones Disabled
Include all sites that bypass the proxy server Disabled
Include all network paths (UNCs) Disabled
Sites in this zone
hcp:////system/
http://localhost/
https://localhost/
Trusted sites (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Enable
Run components signed with Authenticode Enable
ActiveX controls and plug-insDownload signed ActiveX controls Prompt
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Enable
Script ActiveX controls marked safe for scripting Enable
DownloadsFile download Enable
Font download Enable
Microsoft VMJava permissions High safety
MiscellaneousAccess data sources across domains Disable
Allow META REFRESH Enable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable
Drag and drop or copy and paste files Enable
Installation of desktop items Prompt
Launching applications and unsafe files Prompt
Launching programs and files in an IFRAME Prompt
Navigate sub-frames across different domains Enable
Software channel permissions Medium safety
Submit nonencrypted form data Enable
Userdata persistence Enable
ScriptingActive scripting Enable
Allow paste operations via script Enable
Scripting of Java applets Enable
User AuthenticationLogon Automatic logon only in Intranet zone
SitesRequire server verification (https:) for all sites in this zone Disabled
Sites in this zone
about://*.security_mmc.exe
http://*.update.microsoft.com/
http://*.windowsupdate.com/
http://*.windowsupdate.microsoft.com/
http://go.microsoft.com/
http://msdn.microsoft.com/
http://oca.microsoft.com/
http://support.microsoft.com/
http://technet.microsoft.com/
http://windowsupdate.microsoft.com/
http://www.microsoft.com/
https://*.update.microsoft.com/
https://*.windowsupdate.microsoft.com/
https://oca.microsoft.com/
https://windowsupdate.microsoft.com/
Restricted sites (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Disable
Run components signed with Authenticode Disable
ActiveX controls and plug-insDownload signed ActiveX controls Disable
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Disable
Script ActiveX controls marked safe for scripting Disable
DownloadsFile download Disable
Font download Prompt
Microsoft VMJava permissions Disable Java
MiscellaneousAccess data sources across domains Disable
Allow META REFRESH Disable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable
Drag and drop or copy and paste files Prompt
Installation of desktop items Disable
Launching applications and unsafe files Disable
Launching programs and files in an IFRAME Disable
Navigate sub-frames across different domains Disable
Software channel permissions High safety
Submit nonencrypted form data Prompt
Userdata persistence Disable
ScriptingActive scripting Disable
Allow paste operations via script Disable
Scripting of Java applets Disable
User AuthenticationLogon Prompt for user name and password
SitesSites in this zone
None
Privacyhide
Privacy Level Medium
Web Sites
Always allow None
Always block None
ASKER
So what you're saying is that if a couple of users reset their passwords, or created new ones, and the complexity wasn't in effect, when they attempt to log in now that the policy is linked, they will be asked to change their password to match the requirements?
Also -- we have deployed two factor authentication using Alladin Etoken -- it worked prior to the default policy being unlinked, continued to work while the policy was unlinked, but when it was relinked yesterday, now logging in with the usb etoken key no longer works.
Also -- we have deployed two factor authentication using Alladin Etoken -- it worked prior to the default policy being unlinked, continued to work while the policy was unlinked, but when it was relinked yesterday, now logging in with the usb etoken key no longer works.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks talkin
Your welcome. Hope it all worked out.
John