[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Default domain Password Policy did not propagate properly on a Domain Controller

Posted on 2011-05-10
Medium Priority
Last Modified: 2012-08-13
We change the default domain password policy and for some reason it is not working.  GPresult shows applied successfully.  Checked the application log on a domain controller and recieved this error:
Event ID: 1202
Security policies were propagated with warning. 0x5 : Access is denied.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Question by:mjm21

Expert Comment

ID: 35731023
In older servers they had an issue when the "File Replication Service" had the wrong security settings. Check and see if System and Administrators groups have Full Control permissions. You can also reset the permissions on FRS:
To reset security on the FRS:

Navigate to the following policy in the Group Policy object (GPO) where security has been set on the FRS:
Computer Configuration\Windows Settings\Security Settings\System Services
Right-click File Replication Service and click Security.
Give the System and Administrators groups Full Control permissions.
Verify that the edited policy has been replicated to all domain controllers.
Start Registry Editor.
Locate and click the following registry key:
Export and backup Security subkey.
Delete the Security subkey.
Restart the computer
LVL 43

Expert Comment

by:Adam Brown
ID: 35731372
Run RSOP.msc on the Domain controller to view the errors and see which GPO is not being applied. Once you know which one isn't being applied, you can then modify the security filtering of the GPO so it is applied. Error 1202 simply says a GPO wasn't processed, but it won't tell you which one. Your password policies may be propogating normally.
LVL 22

Expert Comment

by:Joseph Moody
ID: 35731674
Do you have blocked inhertience on your domain controller OU?
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.


Author Comment

ID: 35739303
Unfortunately, none of these apply.  Very wierd.

Expert Comment

ID: 35739420
If you completely sure you have admin rights on the account you are using and still getting a "access denied" its cause you have the wrong security settings on your files/folders, services and or registry.
You can also try to change "access this computer from the network" policy in computer configuration\windows settings\security settings\local policies\user rights assignment and set it to "not configured" in the default domain policy

Accepted Solution

mjm21 earned 0 total points
ID: 35778932
We fixed the solution.  The domain controllers were running the Quest InTrust services and block Default Domain Policy changes.  Disabled the product and DDP ran successfully.

Author Closing Comment

ID: 35810080
This fixed the solution and removed the security error.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question