• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1385
  • Last Modified:

Default domain Password Policy did not propagate properly on a Domain Controller

We change the default domain password policy and for some reason it is not working.  GPresult shows applied successfully.  Checked the application log on a domain controller and recieved this error:
Event ID: 1202
Security policies were propagated with warning. 0x5 : Access is denied.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
1 Solution
vguzmanIT ManagerCommented:
In older servers they had an issue when the "File Replication Service" had the wrong security settings. Check and see if System and Administrators groups have Full Control permissions. You can also reset the permissions on FRS:
To reset security on the FRS:

Navigate to the following policy in the Group Policy object (GPO) where security has been set on the FRS:
Computer Configuration\Windows Settings\Security Settings\System Services
Right-click File Replication Service and click Security.
Give the System and Administrators groups Full Control permissions.
Verify that the edited policy has been replicated to all domain controllers.
Start Registry Editor.
Locate and click the following registry key:
Export and backup Security subkey.
Delete the Security subkey.
Restart the computer
Adam BrownSr Solutions ArchitectCommented:
Run RSOP.msc on the Domain controller to view the errors and see which GPO is not being applied. Once you know which one isn't being applied, you can then modify the security filtering of the GPO so it is applied. Error 1202 simply says a GPO wasn't processed, but it won't tell you which one. Your password policies may be propogating normally.
Joseph MoodyBlogger and wearer of all hats.Commented:
Do you have blocked inhertience on your domain controller OU?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

mjm21Author Commented:
Unfortunately, none of these apply.  Very wierd.
vguzmanIT ManagerCommented:
If you completely sure you have admin rights on the account you are using and still getting a "access denied" its cause you have the wrong security settings on your files/folders, services and or registry.
You can also try to change "access this computer from the network" policy in computer configuration\windows settings\security settings\local policies\user rights assignment and set it to "not configured" in the default domain policy
mjm21Author Commented:
We fixed the solution.  The domain controllers were running the Quest InTrust services and block Default Domain Policy changes.  Disabled the product and DDP ran successfully.
mjm21Author Commented:
This fixed the solution and removed the security error.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now