Complex password in Domain GPO not applying anywhere.

[Loopz]

Best get a drink for this one! lol.

We have just found out that the Password must meet complexity requirements isn’t working on the domain policy. After a lot of investigation we confirmed that the SID is registered as the original domain policy (it’s been renamed), that any changes in the USER section is being implemented and other changes in the COMPUTER section also works. btw...The domain policy is being linked at the domain level.

Any changes to Account Policies / Password Policy are not being implemented. Enforce password history, maximum password age, minimum password age, minimum password length and Password must meet complexity requirements can all be changed but it doesn’t reflect on the users machine. I receive old value requirements if I manually try and change the password to 2 characters (for example) on the machine. Ie: password must be 6 characters etc…instead of 8 to what ive changed it to.

Running GPO RSOP indicates that in the COMPUTER section, under Components Status, there is a failure in security. Error states “Security has requested to process its policy settings again.” Checked the Policy events and there is an error Event Id : 1202 “security policies were propagated with warning 0x5: Access is denied”. I’m just wondering if this is actually more referring to the driver signature part and nothing to do with the password attribs.

This is a single forest, single domain running in mixed mode 2000 with 3 Domain Controllers all running windows 2003. We used to be 2 DC’s running 2000 and 1 running 2003. All the roles etc were running on the 2000 DC’s and they were decommissioned (roles transferred) to the new 2003 DC servers. This happened a few months back and I’m not sure if this would have played a part.

Gpresult on the machine (or machines) indicates it’s being applied, although we know that because other settings are being changed and being reflected as tests. Double checked other things like dcdiag / replmon just to check all looks well there and it does. I’m really stuck and there could be something stupid I haven’t considered. Any help would be grateful. If you need any information then let me know. Here is the winlogon.log

Winlogon.log

Make a local copy of \\DOMAIN\sysvol\DOMAIN\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.
-------------------------------------------
05 November 2009 16:52:29
Administrative privileged user logged on.
Parsing template C:\WINDOWS\security\templates\policies\gpt00000.do m.
Copy undo values to the merged policy.
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...


----Configure Security Policy...
Start processing undo values for 6 settings.
There is already an undo value for group policy setting <MinimumPasswordLength>.
There is already an undo value for group policy setting <PasswordHistorySize>.
There is already an undo value for group policy setting <MaximumPasswordAge>.
There is already an undo value for group policy setting <MinimumPasswordAge>.
There is already an undo value for group policy setting <PasswordComplexity>.
There is already an undo value for group policy setting <RequireLogonToChangePassword>.
Configure password information.
Start processing undo values for 3 settings.
There is already an undo value for group policy setting <LockoutBadCount>.
There is already an undo value for group policy setting <ResetLockoutCount>.
There is already an undo value for group policy setting <LockoutDuration>.

System Access configuration was completed successfully.
There is already an undo value for group policy setting <MaximumLogSize>.
There is already an undo value for group policy setting <AuditLogRetentionPeriod>.
There is already an undo value for group policy setting <RestrictGuestAccess>.
There is already an undo value for group policy setting <MaximumLogSize>.
There is already an undo value for group policy setting <AuditLogRetentionPeriod>.
There is already an undo value for group policy setting <RestrictGuestAccess>.
There is already an undo value for group policy setting <MaximumLogSize>.
There is already an undo value for group policy setting <AuditLogRetentionPeriod>.
There is already an undo value for group policy setting <RestrictGuestAccess>.
Configure log settings.
Start processing undo values for 4 settings.
There is already an undo value for group policy setting <AuditSystemEvents>.
There is already an undo value for group policy setting <AuditLogonEvents>.
There is already an undo value for group policy setting <AuditPolicyChange>.
There is already an undo value for group policy setting <AuditAccountLogon>.

Audit/Log configuration was completed successfully.
Configure machine\software\microsoft\driver signing\policy.
Warning 5: Access is denied.
Error configuring machine\software\microsoft\driver signing.
Configure machine\software\microsoft\non-driver signing\policy.
There is already an undo value for group policy setting <machine\software\microsoft\non-driver signing\policy>.
Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
There is already an undo value for group policy setting <machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning>.
Configure machine\software\microsoft\windows\currentversion\ policies\system\disablecad.
There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion \policies\system\disablecad>.
Configure machine\software\microsoft\windows\currentversion\ policies\system\dontdisplaylastusername.
There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion \policies\system\dontdisplaylastusername>.
Configure machine\software\microsoft\windows\currentversion\ policies\system\shutdownwithoutlogon.
There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion \policies\system\shutdownwithoutlogon>.
Configure machine\system\currentcontrolset\control\print\pro viders\lanman print services\servers\addprinterdrivers.
There is already an undo value for group policy setting <machine\system\currentcontrolset\control\print\pr oviders\lanman print services\servers\addprinterdrivers>.
Configure machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown.
There is already an undo value for group policy setting <machine\system\currentcontrolset\control\sessio n manager\memory management\clearpagefileatshutdown>.

Configuration of Registry Values was completed with one or more errors.


----Configure available attachment engines...

Configuration of attachment engines was completed successfully.


----Un-initialize configuration engine...

this is the last GPO.

Basically for a password policy to work, the domain needs to be in at least
Native mode. For more info, please read the following.

Event ID 1000 and event ID 1202 are logged to the event log every five
minutes in Windows 2000 Server
http://support.microsoft.com/kb/319352

If it still doesn't work after changing it to Native mode, then it appears
there may have been a security policy placed (either through Security and
Analysis, or a template was imported to the domain policy), or some other
method was used to alter or create policies. Read the following, if this is
the case.

Group Policy Is Not Applied and You Receive No Error Message
http://support.microsoft.com/kb/310741

Read the following for more possibilities if the above are not helpful.
http://eventid.net/display.asp?event...SceCli&phase=1

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

[Loopz]

Ace - i appreciate your time to answer my query. I just wanted to check with you one thing though. We have just server 2003 DC's now...there are no 2000 DC's anymore. Do you think the password part of the issue is related to the domain mode we are in? I dont recall reading any documentation or white papers to say that Passord policys wont work unless we are above Mixed mode - is it online?. Very annoying if that is the reason why it is not working.

I know i can right off this issue http://support.microsoft.com/kb/310741 as i had already opened up Gptxxxxx.inf or/and Gptxxxxx.dom on one machine to confirm the settings are being replicated there.

Again, thanks for your reply on this.

Hello Loopz,

As you can see the issues as described in the articles posted from Ace in
your domain, i would follow the steps as described to resolve them.

Also if you don't have any earlier OS DC you shold also raise, AFTER change
to mixed mode and checking that all errors or gone, the next level to Windows
server 2003 levels

Best regards

Absolutely. Read Meinolf's response. If you no longer have any NT4 BDCs,
raise the levels.


The articles I posted are online and indicate this. It is indicated in one
of the AD design or migration cookbooks. I would have to dig it up, but the
tech article I posted should be taken as authentic from Microsoft indicating
this is the problem.

[Loopz]

Appreciate your responses. I'm always looking to swat up on white papers that are appropiate and they always help me push downtime by using documentation of known problems. So thanks for responding to that question.

Bad news though. We are now in Native mode and we still cant apply password security settings. The GPTxxxxx.dom has the settings on one of the test machines i am using so i know they are being copied to the machine...just not applied.

I could work to take the mode to w2k3 but i have doubts this will make a difference.

One of the links sounds very legit but in order to find out what document M284461 i will need to subscribe! Here is the explanation...anyone have any idea what M284461 states please?

Error code 0x5 (decimal 5) - Access is denied. This issue occurs because of the locked-down security that was originally set on the FRS through Group Policy. When you attempt to configure the FRS through Group Policy, the policy engine no longer has the permission to set security on the FRS and does not attempt to take ownership of the FRS. See M284461 for resolution.

Actually you don't have to subscribe. Just like Techarena, you don't have to
subscribe.

For the M numbers in eventid.net, they are simply pointers to Microsoft KB
articles. Remove the M, and place the number as such in teh following link
to get the KB:

Event ID1000 and Event ID 1202 Messages Are Reported When You Set Security
on the File Replication Service by Using Group Policy
http://support.microsoft.com/kb/284461

As for techarena, they pull and push posts the free Microsoft public
newsgroups. This newsgroup is actually called
"microsoft.public.windows.server.active_directory." You can use Windows Mail
or Outlook Express, configure a News account, point it to
news.microsoft.com, go through the 2200 newsgroups and pick
microsoft.public.windows.server.active_directory (in alphabetical order),
and away you go! Lots more features than techarena, and you can remain
anonymous.

Ace

[Loopz]

Alas that link is geared towards 2000 and not resolving my issues.
It's quite weird that i no longer have no access error messages on any new machines i test but again no password policy is applying.

should i recreate/restore the domain policy and start a fresh?


Just to make sure DNS configuration and other factors are correct, please
post an ipconfig /all from one of the DCs and one of the client machines.

[Loopz]

weird i never wrote

Just to make sure DNS configuration and other factors are correct, please
post an ipconfig /all from one of the DCs and one of the client machines

i'm guessing the forum messed up there and this is a reply from someone. so here is the information below:

Windows IP Configuration - Domain Controller

Host Name . . . . . . . . . . . . : SERVER
Primary Dns Suffix . . . . . . . : xxxx.xxxx.xxxx
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xxxx.xxxx.xxxx
xxxx.xxxx

Ethernet adapter Redditch Static:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
Physical Address. . . . . . . . . : 00-22-19-92-82-E5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.100.2.223
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.100.2.1
DNS Servers . . . . . . . . . . . : 10.100.2.223
10.100.2.247



Windows IP Configuration - Client

Host Name . . . . . . . . . . . . : Client
Primary Dns Suffix . . . . . . . : xxxx.xxxx.xxxx
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xxxx.xxxx.xxxx
xxxx.xxxx.xxxx
xxxxx.xxxxx



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : xxxx.xxxx.xxxx
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-1C-23-4F-30-B1
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.100.4.234
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.100.4.1
DHCP Server . . . . . . . . . . . : 10.100.2.247
DNS Servers . . . . . . . . . . . : 10.100.2.223
10.100.2.247
Lease Obtained. . . . . . . . . . : 11 November 2009 08:27:04
Lease Expires . . . . . . . . . . : 12 November 2009 08:27:04



Ethernet adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection
Physical Address. . . . . . . . . : 00-1F-3C-59-74-B5

What do you think about recreating the domain policy from fresh?

The ipconfigs look fine, as long as the Primary DNS Suffix matches the
domain name and the zone name in DNS. Thanks for posting them.

Yes, at this point, it may be prudent to do that. Make sure you have a
system state backup before proceding. Do you have the links to show you how
to recreaet the GPO?

Here are some links that may also be helpful to troubleshoot GPOs.

Fixing Group Policy problems by using log files
http://technet.microsoft.com/en-us/l.../cc775423.aspx

Enable Logging for Group Policy Object Editor Client Side Extensions
http://technet.microsoft.com/en-us/l.../cc759167.aspx

Troubleshooting Group Policy application problems
http://support.microsoft.com/kb/250842

Enable Verbose Global Policy Logging
http://www.windowsnetworking.com/kba...cyLogging.html

JSI Tip 3100. How do enable Group Policy debug logging on a Windows 2000
Server?
http://windowsitpro.com/article/arti...00-server.html

Logging User logon event.
If you want to keep track the user logon and logoff event to the domain,
http://msmvps.com/blogs/richardwu/ar...gon-event.aspx