Hello group policy guys!
Domain Functioning as 2003 (but has some 2008 DCs on it)
We are having a weird issue that when we change the max password age in Default Domain Policy, it doesn't change on the domain controllers. On the DCs using "Group Policy Management Editor" for the domain, i can see it set as 60.
When i open local policy gpedit.msc (local group policy editor) I can see it as setup as 30 days. Matter of fact, all the password settings look almost identical to whats in the "Group Policy Management Editor" for the domain, which is weird. Arent those two policies completely separate? Did someone go into all our Domain Controllers Local Policy and change the password settings to match up? Are changes in Group Policy Management Editor for the domain copied into Local Group Policy Editor's settings? Or are they completely separate entities? how did that happen?
Anyway, i ran gpresult /h on the domain controller and found that:
Ah-Ha! So then I checked "Security Filtering" under Default Domain Policy and found that The Default Domain Controller Group is not there!
I'm thinking if I add Domain Controllers to the security filtering, i can fix this issue. But im a bit nervous that there might be settings in Default Domain Policy that we dont want on domain controllers.....