Announcement

Collapse
No announcement yet.

Default domain Policy not working ...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Default domain Policy not working ...

    Hi..

    I am facing ome unknown Issue in Group Policy....

    I had created a test lab for some company testing ,actually i am having having Child Domain Controller in my company what i had done ,i had remove that CDC from my existing network & put that server in separte LAN with some existing users & now what problem i am facing recently that the default domain policy set for account lockout treshold is 3 attempt ,but when i am checking on XP machine than user lockout is happening in 5 attempt .

    I had check through RSOP it is showing me DDC policy ....but accout is lockout in 5 attempt.

    Also i had created new OU & move some users & computer to that OU with block inheritant poilcy & than define account lockout threshold to 3 but still the same user account is lockout in 5 attempt .Same is check with GPupdate /force ,gpupdate /result , on client worksation policy is reflecting but
    it is not implementing.........

    plzzzz..... suggest............!!!!!!!!!

    My server configuration : windows 2003 with SP2
    Worksation : windows XP SP3

  • #2
    Re: Default domain Policy not working ...

    Account policies (passwords and lockouts) will only apply if defined at the domain level, so your behaviour in the OU is as expected.

    Since the policies apply to computers, not users, a computer in the parent domain with users in the child domain will pick up the parent settings, even if currently disconnected from the parent domain itself.

    So as far as I can see, everything is working as it should
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Default domain Policy not working ...

      But My concern is this that i had no where define the 5 attempt than from where it is picking ....any tool or any work around to find this...........

      Comment


      • #4
        Re: Default domain Policy not working ...

        Put the computer in the child domain, then define password settings in a policy linked to the child domain (not a site or OU)
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Default domain Policy not working ...

          Same is applied already but result is the same..... actually i need some tool which find out from where worksation are getting account threshold attempt.

          Comment


          • #6
            Re: Default domain Policy not working ...

            Use RSoP / GP Result
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Default domain Policy not working ...

              i had check through this also & result it is showing me of that policy which i had applied(3 attempt) but instead of that workstation is taking 5 attempt lockout....

              Comment


              • #8
                Re: Default domain Policy not working ...

                On the dc that is in the same domain as the Windows xp test computer, run this command:
                dsquery server -hasfsmo pdc

                Does the command return the name of a DC??
                If not the dc holding the PDC-emulator rol is missing in the domain. While it should be present to enforce user account policies for the domain users!


                \Rems

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment

                Working...
                X