Re: Complex password in Domain GPO not applying anywhere.

"Loopz" <> wrote in message
news:...
>
> Best get a drink for this one! lol.
>
> We have just found out that the Password must meet complexity
> requirements isn’t working on the domain policy. After a lot of
> investigation we confirmed that the SID is registered as the original
> domain policy (it’s been renamed), that any changes in the USER section
> is being implemented and other changes in the COMPUTER section also
> works. btw...The domain policy is being linked at the domain level.
>
> Any changes to Account Policies / Password Policy are not being
> implemented. Enforce password history, maximum password age, minimum
> password age, minimum password length and Password must meet complexity
> requirements can all be changed but it doesn’t reflect on the users
> machine. I receive old value requirements if I manually try and change
> the password to 2 characters (for example) on the machine. Ie: password
> must be 6 characters etc…instead of 8 to what ive changed it to.
>
> Running GPO RSOP indicates that in the COMPUTER section, under
> Components Status, there is a failure in security. Error states
> “Security has requested to process its policy settings again.” Checked
> the Policy events and there is an error Event Id : 1202 “security
> policies were propagated with warning 0x5: Access is denied”. I’m just
> wondering if this is actually more referring to the driver signature
> part and nothing to do with the password attribs.
>
> This is a single forest, single domain running in mixed mode 2000 with
> 3 Domain Controllers all running windows 2003. We used to be 2 DC’s
> running 2000 and 1 running 2003. All the roles etc were running on the
> 2000 DC’s and they were decommissioned (roles transferred) to the new
> 2003 DC servers. This happened a few months back and I’m not sure if
> this would have played a part.
>
> Gpresult on the machine (or machines) indicates it’s being applied,
> although we know that because other settings are being changed and being
> reflected as tests. Double checked other things like dcdiag / replmon
> just to check all looks well there and it does. I’m really stuck and
> there could be something stupid I haven’t considered. Any help would be
> grateful. If you need any information then let me know. Here is the
> winlogon.log
>
> Winlogon.log
><snipped>
>
> --
> Loopz
> ------------------------------------------------------------------------


Basically for a password policy to work, the domain needs to be in at least
Native mode. For more info, please read the following.

Event ID 1000 and event ID 1202 are logged to the event log every five
minutes in Windows 2000 Server
http://support.microsoft.com/kb/319352

If it still doesn't work after changing it to Native mode, then it appears
there may have been a security policy placed (either through Security and
Analysis, or a template was imported to the domain policy), or some other
method was used to alter or create policies. Read the following, if this is
the case.

Group Policy Is Not Applied and You Receive No Error Message
http://support.microsoft.com/kb/310741

Read the following for more possibilities if the above are not helpful.
http://eventid.net/display.asp?event...SceCli&phase=1

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

"Loopz" <> wrote in message
news:...
>
> Ace - i appreciate your time to answer my query. I just wanted to check
> with you one thing though. We have just server 2003 DC's now...there are
> no 2000 DC's anymore. Do you think the password part of the issue is
> related to the domain mode we are in?

Absolutely. Read Meinolf's response. If you no longer have any NT4 BDCs,
raise the levels.

> I dont recall reading any
> documentation or white papers to say that Passord policys wont work
> unless we are above Mixed mode - is it online?. Very annoying if that is
> the reason why it is not working.

The articles I posted are online and indicate this. It is indicated in one
of the AD design or migration cookbooks. I would have to dig it up, but the
tech article I posted should be taken as authentic from Microsoft indicating
this is the problem.

>
> I know i can right off this issue
> http://support.microsoft.com/kb/310741 as i had already opened up
> Gptxxxxx.inf or/and Gptxxxxx.dom on one machine to confirm the settings
> are being replicated there.
>
> Again, thanks for your reply on this.

You are welcome.

Ace

"Loopz" <> wrote in message
news:...
>
> Appreciate your responses. I'm always looking to swat up on white papers
> that are appropiate and they always help me push downtime by using
> documentation of known problems. So thanks for responding to that
> question.
>
> Bad news though. We are now in Native mode and we still cant apply
> password security settings. The GPTxxxxx.dom has the settings on one of
> the test machines i am using so i know they are being copied to the
> machine...just not applied.
>
> I could work to take the mode to w2k3 but i have doubts this will make
> a difference.
>
> One of the links sounds very legit but in order to find out what
> document M284461 i will need to subscribe! Here is the
> explanation...anyone have any idea what M284461 states please?
>
> Error code 0x5 (decimal 5) - Access is denied. This issue occurs
> because of the locked-down security that was originally set on the FRS
> through Group Policy. When you attempt to configure the FRS through
> Group Policy, the policy engine no longer has the permission to set
> security on the FRS and does not attempt to take ownership of the FRS.
> See M284461 for resolution.
>
>
> --
> Loopz
> ------------------------------------------------------------------------

Actually you don't have to subscribe. Just like Techarena, you don't have to
subscribe.

For the M numbers in eventid.net, they are simply pointers to Microsoft KB
articles. Remove the M, and place the number as such in teh following link
to get the KB:

Event ID1000 and Event ID 1202 Messages Are Reported When You Set Security
on the File Replication Service by Using Group Policy
http://support.microsoft.com/kb/284461

As for techarena, they pull and push posts the free Microsoft public
newsgroups. This newsgroup is actually called
"microsoft.public.windows.server.active_directory. " You can use Windows Mail
or Outlook Express, configure a News account, point it to
news.microsoft.com, go through the 2200 newsgroups and pick
microsoft.public.windows.server.active_directory (in alphabetical order),
and away you go! Lots more features than techarena, and you can remain
anonymous.

Ace

"Loopz" <> wrote in message
news:...
>
> thanks Ace. thats usefull to know.
>
> Alas that link is geared towards 2000 and not resolving my issues.
> It's quite weird that i no longer have no access error messages on any
> new machines i test but again no password policy is applying.
>
> should i recreate/restore the domain policy and start a fresh?
>
>
> --
> Loopz
> ------------------------------------------------------------------------

Just to make sure DNS configuration and other factors are correct, please
post an ipconfig /all from one of the DCs and one of the client machines.

Ace

"Loopz" <> wrote in message
news:...
>
> weird i never wrote
>
> JUST TO MAKE SURE DNS CONFIGURATION AND OTHER FACTORS ARE CORRECT,
> PLEASE
> POST AN IPCONFIG /ALL FROM ONE OF THE DCS AND ONE OF THE CLIENT
> MACHINES
>
> i'm guessing the forum messed up there and this is a reply from
> someone. so here is the information below:
>
> Windows IP Configuration - Domain Controller
>
> Host Name . . . . . . . . . . . . : SERVER
> Primary Dns Suffix . . . . . . . : xxxx.xxxx.xxxx
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : xxxx.xxxx.xxxx
> xxxx.xxxx
>
> Ethernet adapter Redditch Static:
>
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II
> GigE (NDIS VBD Client)
> Physical Address. . . . . . . . . : 00-22-19-92-82-E5
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.100.2.223
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 10.100.2.1
> DNS Servers . . . . . . . . . . . : 10.100.2.223
> 10.100.2.247
>
>
>
> Windows IP Configuration - Client
>
> Host Name . . . . . . . . . . . . : Client
> Primary Dns Suffix . . . . . . . : xxxx.xxxx.xxxx
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : xxxx.xxxx.xxxx
> xxxx.xxxx.xxxx
> xxxxx.xxxxx
>
>
>
> Ethernet adapter Local Area Connection:
>
>
>
> Connection-specific DNS Suffix . : xxxx.xxxx.xxxx
> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
> Gigabit Controller
> Physical Address. . . . . . . . . : 00-1C-23-4F-30-B1
> Dhcp Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IP Address. . . . . . . . . . . . : 10.100.4.234
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 10.100.4.1
> DHCP Server . . . . . . . . . . . : 10.100.2.247
> DNS Servers . . . . . . . . . . . : 10.100.2.223
> 10.100.2.247
> Lease Obtained. . . . . . . . . . : 11 November 2009 08:27:04
> Lease Expires . . . . . . . . . . : 12 November 2009 08:27:04
>
>
>
> Ethernet adapter Wireless Network Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
> Description . . . . . . . . . . . : Intel(R) PRO/Wireless
> 3945ABG Network Connection
> Physical Address. . . . . . . . . : 00-1F-3C-59-74-B5
>
> What do you think about recreating the domain policy from fresh?
>
>
> --
> Loopz

The ipconfigs look fine, as long as the Primary DNS Suffix matches the
domain name and the zone name in DNS. Thanks for posting them.

Yes, at this point, it may be prudent to do that. Make sure you have a
system state backup before proceding. Do you have the links to show you how
to recreaet the GPO?

Here are some links that may also be helpful to troubleshoot GPOs.

Fixing Group Policy problems by using log files
http://technet.microsoft.com/en-us/l.../cc775423.aspx

Enable Logging for Group Policy Object Editor Client Side Extensions
http://technet.microsoft.com/en-us/l.../cc759167.aspx

Troubleshooting Group Policy application problems
http://support.microsoft.com/kb/250842

Enable Verbose Global Policy Logging
http://www.windowsnetworking.com/kba...cyLogging.html

JSI Tip 3100. How do enable Group Policy debug logging on a Windows 2000
Server?
http://windowsitpro.com/article/arti...00-server.html

Logging User logon event.
If you want to keep track the user logon and logoff event to the domain,
http://msmvps.com/blogs/richardwu/ar...gon-event.aspx


Ace