Announcement

Collapse
No announcement yet.

Complex password in Domain GPO not applying anywhere.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Complex password in Domain GPO not applying anywhere.

    Best get a drink for this one! lol.

    We have just found out that the Password must meet complexity requirements isnít working on the domain policy. After a lot of investigation we confirmed that the SID is registered as the original domain policy (itís been renamed), that any changes in the USER section is being implemented and other changes in the COMPUTER section also works. btw...The domain policy is being linked at the domain level.

    Any changes to Account Policies / Password Policy are not being implemented. Enforce password history, maximum password age, minimum password age, minimum password length and Password must meet complexity requirements can all be changed but it doesnít reflect on the users machine. I receive old value requirements if I manually try and change the password to 2 characters (for example) on the machine. Ie: password must be 6 characters etcÖinstead of 8 to what ive changed it to.

    Running GPO RSOP indicates that in the COMPUTER section, under Components Status, there is a failure in security. Error states ďSecurity has requested to process its policy settings again.Ē Checked the Policy events and there is an error Event Id : 1202 ďsecurity policies were propagated with warning 0x5: Access is deniedĒ. Iím just wondering if this is actually more referring to the driver signature part and nothing to do with the password attribs.

    This is a single forest, single domain running in mixed mode 2000 with 3 Domain Controllers all running windows 2003. We used to be 2 DCís running 2000 and 1 running 2003. All the roles etc were running on the 2000 DCís and they were decommissioned (roles transferred) to the new 2003 DC servers. This happened a few months back and Iím not sure if this would have played a part.

    Gpresult on the machine (or machines) indicates itís being applied, although we know that because other settings are being changed and being reflected as tests. Double checked other things like dcdiag / replmon just to check all looks well there and it does. Iím really stuck and there could be something stupid I havenít considered. Any help would be grateful. If you need any information then let me know. Here is the winlogon.log file on next part of message (because of length)

  • #2
    Re: Complex password in Domain GPO not applying anywhere.

    Winlogon.log

    Make a local copy of \\DOMAIN\sysvol\DOMAIN\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
    GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

    Process GP template gpt00000.dom.
    -------------------------------------------
    05 November 2009 16:52:29
    Administrative privileged user logged on.
    Parsing template C:\WINDOWS\security\templates\policies\gpt00000.do m.
    Copy undo values to the merged policy.
    ----Configuration engine was initialized successfully.----

    ----Reading Configuration Template info...


    ----Configure Security Policy...
    Start processing undo values for 6 settings.
    There is already an undo value for group policy setting <MinimumPasswordLength>.
    There is already an undo value for group policy setting <PasswordHistorySize>.
    There is already an undo value for group policy setting <MaximumPasswordAge>.
    There is already an undo value for group policy setting <MinimumPasswordAge>.
    There is already an undo value for group policy setting <PasswordComplexity>.
    There is already an undo value for group policy setting <RequireLogonToChangePassword>.
    Configure password information.
    Start processing undo values for 3 settings.
    There is already an undo value for group policy setting <LockoutBadCount>.
    There is already an undo value for group policy setting <ResetLockoutCount>.
    There is already an undo value for group policy setting <LockoutDuration>.

    System Access configuration was completed successfully.
    There is already an undo value for group policy setting <MaximumLogSize>.
    There is already an undo value for group policy setting <AuditLogRetentionPeriod>.
    There is already an undo value for group policy setting <RestrictGuestAccess>.
    There is already an undo value for group policy setting <MaximumLogSize>.
    There is already an undo value for group policy setting <AuditLogRetentionPeriod>.
    There is already an undo value for group policy setting <RestrictGuestAccess>.
    There is already an undo value for group policy setting <MaximumLogSize>.
    There is already an undo value for group policy setting <AuditLogRetentionPeriod>.
    There is already an undo value for group policy setting <RestrictGuestAccess>.
    Configure log settings.
    Start processing undo values for 4 settings.
    There is already an undo value for group policy setting <AuditSystemEvents>.
    There is already an undo value for group policy setting <AuditLogonEvents>.
    There is already an undo value for group policy setting <AuditPolicyChange>.
    There is already an undo value for group policy setting <AuditAccountLogon>.

    Audit/Log configuration was completed successfully.
    Configure machine\software\microsoft\driver signing\policy.
    Warning 5: Access is denied.
    Error configuring machine\software\microsoft\driver signing.
    Configure machine\software\microsoft\non-driver signing\policy.
    There is already an undo value for group policy setting <machine\software\microsoft\non-driver signing\policy>.
    Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
    There is already an undo value for group policy setting <machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning>.
    Configure machine\software\microsoft\windows\currentversion\ policies\system\disablecad.
    There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion \policies\system\disablecad>.
    Configure machine\software\microsoft\windows\currentversion\ policies\system\dontdisplaylastusername.
    There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion \policies\system\dontdisplaylastusername>.
    Configure machine\software\microsoft\windows\currentversion\ policies\system\shutdownwithoutlogon.
    There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion \policies\system\shutdownwithoutlogon>.
    Configure machine\system\currentcontrolset\control\print\pro viders\lanman print services\servers\addprinterdrivers.
    There is already an undo value for group policy setting <machine\system\currentcontrolset\control\print\pr oviders\lanman print services\servers\addprinterdrivers>.
    Configure machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown.
    There is already an undo value for group policy setting <machine\system\currentcontrolset\control\sessio n manager\memory management\clearpagefileatshutdown>.

    Configuration of Registry Values was completed with one or more errors.


    ----Configure available attachment engines...

    Configuration of attachment engines was completed successfully.


    ----Un-initialize configuration engine...

    this is the last GPO.

    Comment

    Working...
    X