[gptalk] Re: Default Domain Policy _ Password Configuration Settings

  • From: jfvanmeter@xxxxxxxxxxx
  • To: gptalk@xxxxxxxxxxxxx, <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 30 Apr 2007 11:01:50 +0000

Thank You Everyone, here is a little more information.

The WIn2k3 sp1 is a standardized build, that has a local security policy 
applied to it via a script that runs at  the end of the server build. The 
script calls secedit and runs in several inf files, so that the server has some 
predefined security settings.

 I have two issues I would like help with.

1. When one of the above servers is dcpromo'ed it appears that the new DC 
stated to authinicate users, the new DC does not use the group policies from 
sysvol,  but applies the local security policy. I've since this in our lab, 
were a tech either forgets to make connectors or creates them wrong.

2. A workstation tries to authenicate, and getts the error that there are "no 
domain controllers available to valid your request"  a user can log into the 
domain fine from that workstation. If you check the winlogon file, you can 
watch group policy being removed and the only security policy left on the 
workstation is the local security policy which doesn't hold the correct user 
rights to allow some progrmas to run. 

Any thoughts on how to correct either of the above?

Thanks 

Take Care and Have Fun --John
\
 -------------- Original message ----------------------
From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
> What it is is a strange mechanism Windows employs to make sure that the DDP
> always reflects account policy that is held on the PDCe's domain NC head.
> So, for example, if you directly modified the Password Length attribute in
> AD on the PDC-there is a process that writes that change into the DDP. Its
> not very well documented but easily tested. 
> 
>  
> 
> So, in your example below, if you modified account policy outside of the
> DDP, it would get written back regardless of how restrictive it is.
> 
>  
> 
> Darren
> 
>  
> 
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Alan Johnston
> Sent: Saturday, April 28, 2007 12:11 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Default Domain Policy _ Password Configuration
> Settings
> 
>  
> 
> In this case, would it be true if the modified account policy was less
> restrictive than the DDP, nothing in the DDP will change?
> 
>  
> 
> Just curious.
> 
> Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
> 
> It is possible John. There are certain scenarios where if you modify account
> policy out-of-band of he DDP (e.g. By modifying the local GPO on the PDCe)
> then those changes can be wriiten back to the DDP. Its a "feature". : :-)
> 
> -----Original Message-----
> From: jfvanmeter@xxxxxxxxxxx
> To: "gpotalk" 
> Sent: 4/27/2007 7:25 AM
> Subject: [gptalk] Default Domain Policy _ Password Configuration Settings
> 
> Hello every, I have a problem that I'm looking for some help with.
> 
> Has anyone saw a default domain policy - password settings change from not
> defined to some other settings...ie password length goes from not defined to
> 12?
> 
> The domain is running in 2000, most of the server are win2k3 sp1 or win2k
> sp4
> 
> thanks for any help
> 
> Take Care and Have Fun --john
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
> ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
> ************************
> 
>  
> 
>   
> 
>   _____  
> 
> Ahhh...imagining that irresistible "new car" smell?
> Check out new
> <http://us.rd.yahoo.com/evt=48245/*http:/autos.yahoo.com/new_cars.html;_ylc=
> X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3LWNhcnM->  cars
> at Yahoo! Autos. 
> 


--- Begin Message ---
  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Sat, 28 Apr 2007 19:37:40 +0000

What it is is a strange mechanism Windows employs to make sure that the DDP always reflects account policy that is held on the PDCe’s domain NC head. So, for example, if you directly modified the Password Length attribute in AD on the PDC—there is a process that writes that change into the DDP. Its not very well documented but easily tested.

 

So, in your example below, if you modified account policy outside of the DDP, it would get written back regardless of how restrictive it is.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan Johnston
Sent: Saturday, April 28, 2007 12:11 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain Policy _ Password Configuration Settings

 

In this case, would it be true if the modified account policy was less restrictive than the DDP, nothing in the DDP will change?

 

Just curious.

Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

It is possible John. There are certain scenarios where if you modify account policy out-of-band of he DDP (e.g. By modifying the local GPO on the PDCe) then those changes can be wriiten back to the DDP. Its a "feature". : :-)

-----Original Message-----
From: jfvanmeter@xxxxxxxxxxx
To: "gpotalk"
Sent: 4/27/2007 7:25 AM
Subject: [gptalk] Default Domain Policy _ Password Configuration Settings

Hello every, I have a problem that I'm looking for some help with.

Has anyone saw a default domain policy - password settings change from not defined to some other settings...ie password length goes from not defined to 12?

The domain is running in 2000, most of the server are win2k3 sp1 or win2k sp4

thanks for any help

Take Care and Have Fun --john
***********************
You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at http://www.freelists.org/archives/gptalk/
************************

 

 


Ahhh...imagining that irresistible "new car" smell?
Check out new cars at Yahoo! Autos.


--- End Message ---

Other related posts: