Avatar of MMcDonald
Flag for United States of America

asked on 

GPResult/RSoP reports missing *some* settings from the Default Domain Policy (GPO) on a particular domain controller

Hello Experts!  I have another strange one for ya.  Hope you can help.

While working on my test 2003 AD domain, I noticed something really odd.  I was running the Group Policy Results to compare some settings between the 2 DCs, and I noticed that DC2 is completely missing chunks of settings from the Computer Configuration/Windows Settings/Account Policies section, which are configured within the Default Domain Policy GPO.

The following settings/sections are missing:  Account Policy/Password Policy as well as the Account Lockout Policy.

The only settings/section from the policy that are showing up, are the Account Policies/Kerberos Policy settings.

I get the same results if I run the command line GPResult tool, or Group Policy Results from within GPMC.

If I open up the Domain Security Policy mmc snap-in from Administrative Tools on DC2, the settings are configured as they should be.  Unfortunately I'm wondering if this snap-in is just reading the actual Default Domain Policy settings from the GPO.

Additional oddity:  If I disable the Default Domain Policy entirely and GPupdate, the section from that GPO that does show up on DC2 (i.e., Kerberos Policy) goes away, as expected!!  When I re-enable the policy, the Kerberos Policy section of the GPO returns in my GPResults.  It's clear DC2 is processing the policy.  In fact, GPResult does indeed show the policy was applied successfully.

In attempting to fix the problem, I went as far as demoting this DC.  When it was a standard member server on the domain, GPResult showed all settings from the GPO applied!!  I repromoted it as a DC and they went away again except for the Kerberos Policy section!!

What on earth could be causing this?
Windows Server 2003Active Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon