Link to home
Start Free TrialLog in
Avatar of sc456a
sc456a

asked on

Can't Update AD Group Policy Settings

When I view the GPO's settings in Group Policy Management I can see that the Maximum Password Age is set to 90 in the Default Domain Policy GPO. However, when I go to edit the GPO to change it in Computer Configuration>Policies>Windows Settings>Security Settings>Account Policies, Account Policies (and a number of other items) aren't there.

I've been doing some research and someone suggested that this setting may have to be changed on the server is was originally configured on. That server was a DC and has since has been retired. The new server, Windows 2012, was just to the domain as a DC before the old server was retired.

Another interesting wrinkle is that when I try to edit the local GP on the Windows 2012 server that Maximum Password Age setting is there, but it's set to 91 days and grayed out so I can't edit it. I assume that's because the Default Domain Policy is overriding it, but I can't edit that as mentioned above.

Any thoughts on how to resolve this? Thanks!
Avatar of Antzs
Antzs
Flag of Malaysia image

You will need to access to your Domain Controller to make changes to the GPO.  After the old DC was retired which other server was the replacement DC?
Avatar of sc456a
sc456a

ASKER

The 2012 box is the replacement server and the DC. The old server is still listed as a DC and both are also GC.
Ok, If you want to change Globaly Password age you need to open gpedit.msc on Domain controller

Expand Group Policy Objects
Default Domain Policy

Navigate to Computer configuration
Computer Configuration
    Windows Settings
         Security settings
            Account Policy
               Password Policy

User generated image
I would recommend running Group Policy Result Wizard from with in GPMC on your DC and run it against one of your workstations.
This will list all the GPO's that applied to the computer and you can see where the Password setting is set.

This link will illustrate and walk you through the steps.
https://www.petri.com/solving-group-policy-problems-with-the-group-policy-results-wizard
Avatar of sc456a

ASKER

I already know which GPO has the settings - the Default Domain Policy. When I edit it, they aren't available. See screenshots below.

User generated image
User generated image
Looks like your GPO MMC can't connect to the PDC emulator, maybe a permission issue?

Determine which DC holds the PDC emulator operations masters  role via PowerShell: https://technet.microsoft.com/en-us/library/dd378928(v=ws.10).aspx

Also check if your domain has  replication problems, open a command prompt and run

repadmin /showrepl>>logfile.txt 

Open in new window

and
dcdiag /v>>logfile.txt 

Open in new window


Review logfile.txt.
Avatar of sc456a

ASKER

@Michael - The old server is listed as SchemaMaster and DomainNamingMaster.

The repadmin file shows failures/errors trying to reach the older server.

Looks like I didn't retire the old server properly. What can I do to resolve this? Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Michael Pfister
Michael Pfister
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sc456a

ASKER

That worked perfectly, Michael. Thanks!