sc456a
asked on
Can't Update AD Group Policy Settings
When I view the GPO's settings in Group Policy Management I can see that the Maximum Password Age is set to 90 in the Default Domain Policy GPO. However, when I go to edit the GPO to change it in Computer Configuration>Policies>Win dows Settings>Security Settings>Account Policies, Account Policies (and a number of other items) aren't there.
I've been doing some research and someone suggested that this setting may have to be changed on the server is was originally configured on. That server was a DC and has since has been retired. The new server, Windows 2012, was just to the domain as a DC before the old server was retired.
Another interesting wrinkle is that when I try to edit the local GP on the Windows 2012 server that Maximum Password Age setting is there, but it's set to 91 days and grayed out so I can't edit it. I assume that's because the Default Domain Policy is overriding it, but I can't edit that as mentioned above.
Any thoughts on how to resolve this? Thanks!
I've been doing some research and someone suggested that this setting may have to be changed on the server is was originally configured on. That server was a DC and has since has been retired. The new server, Windows 2012, was just to the domain as a DC before the old server was retired.
Another interesting wrinkle is that when I try to edit the local GP on the Windows 2012 server that Maximum Password Age setting is there, but it's set to 91 days and grayed out so I can't edit it. I assume that's because the Default Domain Policy is overriding it, but I can't edit that as mentioned above.
Any thoughts on how to resolve this? Thanks!
You will need to access to your Domain Controller to make changes to the GPO. After the old DC was retired which other server was the replacement DC?
ASKER
The 2012 box is the replacement server and the DC. The old server is still listed as a DC and both are also GC.
I would recommend running Group Policy Result Wizard from with in GPMC on your DC and run it against one of your workstations.
This will list all the GPO's that applied to the computer and you can see where the Password setting is set.
This link will illustrate and walk you through the steps.
https://www.petri.com/solving-group-policy-problems-with-the-group-policy-results-wizard
This will list all the GPO's that applied to the computer and you can see where the Password setting is set.
This link will illustrate and walk you through the steps.
https://www.petri.com/solving-group-policy-problems-with-the-group-policy-results-wizard
ASKER
Looks like your GPO MMC can't connect to the PDC emulator, maybe a permission issue?
Determine which DC holds the PDC emulator operations masters role via PowerShell: https://technet.microsoft. com/en-us/ library/dd 378928(v=w s.10).aspx
Also check if your domain has replication problems, open a command prompt and run
Review logfile.txt.
Determine which DC holds the PDC emulator operations masters role via PowerShell: https://technet.microsoft.
Also check if your domain has replication problems, open a command prompt and run
repadmin /showrepl>>logfile.txt
and dcdiag /v>>logfile.txt
Review logfile.txt.
ASKER
@Michael - The old server is listed as SchemaMaster and DomainNamingMaster.
The repadmin file shows failures/errors trying to reach the older server.
Looks like I didn't retire the old server properly. What can I do to resolve this? Thanks!
The repadmin file shows failures/errors trying to reach the older server.
Looks like I didn't retire the old server properly. What can I do to resolve this? Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That worked perfectly, Michael. Thanks!