Solved

Server 2003 Group Policy - Password Policy not applying Event 1202

Posted on 2010-11-18
7
494 Views
Last Modified: 2012-06-27
Hi
I need some help with a customer we look after. Password Policy for domain has stopped working. The GPO is linked at the domain level and is listed first. It applies to pcs but doesnt work. Checked the pdc and noticed event 1202 errors "Security policies were propagated with warning. 0x5 : Access is denied" Running RSOP on pdc shows the policy as appied in computer config, windows settings, security settings, account policies, password policy. But there are red x's against all configured options. Enabled debugging and checked the winlogon.log file and can see "Configure Security Policy Warning 5: Access is denied" Have already checked http://support.microsoft.com/default.aspx?scid=KB;EN-US;324383 and there are no services configured under this GPO. Also created new GPO and same issue. ANy help appreciated
0
Comment
Question by:nfarrell
  • 3
  • 2
7 Comments
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 34170832
Access denied (warning 5) means that the policy doesn't have read or apply policy rights. In other words, you don't have the permissions to apply policies or allow users to read them.

http://technet.microsoft.com/en-us/library/cc759506(WS.10).aspx

I would also check the default permissions on the SYSVOL folder. Make sure they are correct.

Your errors are directly related to an ACL violation, meaning permissions.
0
 

Author Comment

by:nfarrell
ID: 34172053
Thanks for the reply, I have checked the permissions of the GPO and the scope is correct i.e applied to authenticated users. Checked permissions on the sysvol folder and all  is normal. The gpo will apply on other dcs normaly but its on this pdc that we get the error
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34177429
Windows firewall blocks LDAP requests and it could pose a problem with authentications...
0
 

Author Comment

by:nfarrell
ID: 34186875
Windows firewall is disabled. Thinking of trasfering pdc role to another server to get this working
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 34202049
An access denied, like this, indicates that you are violating the ACL (access control list), on the policy folder. That would be the sysvol file folder. I would make sure the group policy folder has the default permissions for the domain, and also that the clients are on the domain.

Group policies are distributed out via netbios. So, all computers on the broadcast domain will see these policies. Computers that are not members of the domain, will not get the default domain policy for logons because they don't have domain authentication. This could mean the computer has to rejoin the domain if the secure channel has been broken.

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35115205
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now