We help IT Professionals succeed at work.
Get Started

GPResult/RSoP reports missing *some* settings from the Default Domain Policy (GPO) on a particular domain controller

5,401 Views
Last Modified: 2012-06-21
Hello Experts!  I have another strange one for ya.  Hope you can help.

While working on my test 2003 AD domain, I noticed something really odd.  I was running the Group Policy Results to compare some settings between the 2 DCs, and I noticed that DC2 is completely missing chunks of settings from the Computer Configuration/Windows Settings/Account Policies section, which are configured within the Default Domain Policy GPO.

The following settings/sections are missing:  Account Policy/Password Policy as well as the Account Lockout Policy.

The only settings/section from the policy that are showing up, are the Account Policies/Kerberos Policy settings.

I get the same results if I run the command line GPResult tool, or Group Policy Results from within GPMC.

If I open up the Domain Security Policy mmc snap-in from Administrative Tools on DC2, the settings are configured as they should be.  Unfortunately I'm wondering if this snap-in is just reading the actual Default Domain Policy settings from the GPO.

Additional oddity:  If I disable the Default Domain Policy entirely and GPupdate, the section from that GPO that does show up on DC2 (i.e., Kerberos Policy) goes away, as expected!!  When I re-enable the policy, the Kerberos Policy section of the GPO returns in my GPResults.  It's clear DC2 is processing the policy.  In fact, GPResult does indeed show the policy was applied successfully.

In attempting to fix the problem, I went as far as demoting this DC.  When it was a standard member server on the domain, GPResult showed all settings from the GPO applied!!  I repromoted it as a DC and they went away again except for the Kerberos Policy section!!

What on earth could be causing this?
Comment
Watch Question
Cloud Security Consultant
CERTIFIED EXPERT
Top Expert 2010
Commented:
This problem has been solved!
Unlock 2 Answers and 12 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE