Default domain Password Policy did not propagate properly on a Domain Controller

Posted on 2011-05-10
Last Modified: 2012-08-13
We change the default domain password policy and for some reason it is not working.  GPresult shows applied successfully.  Checked the application log on a domain controller and recieved this error:
Event ID: 1202
Security policies were propagated with warning. 0x5 : Access is denied.

Advanced help for this problem is available on Query for "troubleshooting 1202 events".

For more information, see Help and Support Center at
Question by:mjm21
    LVL 5

    Expert Comment

    In older servers they had an issue when the "File Replication Service" had the wrong security settings. Check and see if System and Administrators groups have Full Control permissions. You can also reset the permissions on FRS:
    To reset security on the FRS:

    Navigate to the following policy in the Group Policy object (GPO) where security has been set on the FRS:
    Computer Configuration\Windows Settings\Security Settings\System Services
    Right-click File Replication Service and click Security.
    Give the System and Administrators groups Full Control permissions.
    Verify that the edited policy has been replicated to all domain controllers.
    Start Registry Editor.
    Locate and click the following registry key:
    Export and backup Security subkey.
    Delete the Security subkey.
    Restart the computer
    LVL 37

    Expert Comment

    by:Adam Brown
    Run RSOP.msc on the Domain controller to view the errors and see which GPO is not being applied. Once you know which one isn't being applied, you can then modify the security filtering of the GPO so it is applied. Error 1202 simply says a GPO wasn't processed, but it won't tell you which one. Your password policies may be propogating normally.
    LVL 21

    Expert Comment

    by:Joseph Moody
    Do you have blocked inhertience on your domain controller OU?

    Author Comment

    Unfortunately, none of these apply.  Very wierd.
    LVL 5

    Expert Comment

    If you completely sure you have admin rights on the account you are using and still getting a "access denied" its cause you have the wrong security settings on your files/folders, services and or registry.
    You can also try to change "access this computer from the network" policy in computer configuration\windows settings\security settings\local policies\user rights assignment and set it to "not configured" in the default domain policy

    Accepted Solution

    We fixed the solution.  The domain controllers were running the Quest InTrust services and block Default Domain Policy changes.  Disabled the product and DDP ran successfully.

    Author Closing Comment

    This fixed the solution and removed the security error.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now