troubleshooting Question

GPResult/RSoP reports missing *some* settings from the Default Domain Policy (GPO) on a particular domain controller

Avatar of MMcDonald
MMcDonaldFlag for United States of America asked on
Windows Server 2003Active Directory
12 Comments2 Solutions5427 ViewsLast Modified:
Hello Experts!  I have another strange one for ya.  Hope you can help.

While working on my test 2003 AD domain, I noticed something really odd.  I was running the Group Policy Results to compare some settings between the 2 DCs, and I noticed that DC2 is completely missing chunks of settings from the Computer Configuration/Windows Settings/Account Policies section, which are configured within the Default Domain Policy GPO.

The following settings/sections are missing:  Account Policy/Password Policy as well as the Account Lockout Policy.

The only settings/section from the policy that are showing up, are the Account Policies/Kerberos Policy settings.

I get the same results if I run the command line GPResult tool, or Group Policy Results from within GPMC.

If I open up the Domain Security Policy mmc snap-in from Administrative Tools on DC2, the settings are configured as they should be.  Unfortunately I'm wondering if this snap-in is just reading the actual Default Domain Policy settings from the GPO.

Additional oddity:  If I disable the Default Domain Policy entirely and GPupdate, the section from that GPO that does show up on DC2 (i.e., Kerberos Policy) goes away, as expected!!  When I re-enable the policy, the Kerberos Policy section of the GPO returns in my GPResults.  It's clear DC2 is processing the policy.  In fact, GPResult does indeed show the policy was applied successfully.

In attempting to fix the problem, I went as far as demoting this DC.  When it was a standard member server on the domain, GPResult showed all settings from the GPO applied!!  I repromoted it as a DC and they went away again except for the Kerberos Policy section!!

What on earth could be causing this?
Adam Brown
Cloud Security Consultant

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Top Expert 2010

The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.

Join our community to see this answer!
Unlock 2 Answers and 12 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 12 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros