none
Account password policy not applied on all domain controlers

    Question

  • Hello,

    I have the following problem:

    * We have a default domain policy linked at domain level.

    * All domain controllers are in the same ou (domain controllers)

    * No block inheritance enabled on the domain controllers ou

    * default domain policy is set to enforce. and we have no other password policies

    * domain functional level is 2003

    DC1 is getting the default domain policy + pw policy

    according to a rsop and result DC2 and DC3 are getting the default domain policy but not the account policy's ( Password policy

    any idea?

    Thanks,

    Arjan

    Wednesday, January 22, 2014 9:44 AM

Answers

  • Hi Arjan,

    Based on my research, in each domain, GPMC uses the same domain controller for all operations in that domain, PDC by default, in order to avoid synchronization issues.

    Would you please tell us is DC1 the PDC emulator?

    If yes, then this behavior is normal, you can refer to this KB article below:

    Some security policies are displayed as "Not Defined" in the RSoP snap-in on a Windows Server 2003, 2008 or 2008 R2 based domain controller

    http://support.microsoft.com/kb/927908/en-us

    You can verify if the account policies have been replicated to DC2 and DC3 by running net accounts/domain command on them.

    More information for you:

    Group Policy Replication and Domain Controller Selection (Group Policy Infrastructure)

    http://technet.microsoft.com/en-us/library/cc779403(v=WS.10).aspx

    I hope this helps.

    Best Regards,

    Amy Wang

    Tuesday, January 28, 2014 2:50 AM

All replies

  • so just to confirm the password policy settings haven't been removed from the default domain policy?

    Are you setting any errors on the domain controllers regarding processing any group policy objects?


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, January 22, 2014 10:03 AM
  • The password policy is set in the default domain policy.

    DC1 is receiving the password policy

    DC2 and 3 are not getting the password policy but when I do a rsop i can see settings from the default domain policy are comming true. just not the Account policies (password policy)

    Cannot find any error on applying policies... :(

    The effect is that users cannot change their password when they are logged on to DC2 or 3.

    They get the message that the password  is not complex enough.

    • Edited by Arjandv Wednesday, January 22, 2014 10:25 AM
    Wednesday, January 22, 2014 10:19 AM
  • this is strange.

    can you confirm you don't have any fine grained password policies configured.

    also can you run a gpresult /scope:computer /r /v

    from an admin command prompt and post the results - both from dc1 and either dc2 or dc3

    thanks


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, January 22, 2014 10:33 AM
  • Thanks for your help.

    Yes this is verry strange indeed.

    There are no fine grained pw policies configured (domain func level 2003 the servers are 2008 R2)

    Check the difference in the account policies.

    rsop DC01:

    =========================================================================
    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 22-1-2014 at 11:46:19

     

    RSOP data for DomainName\Admin on DC01 : Logging Mode
    -----------------------------------------------------------------

    OS Configuration:            Primary Domain Controller
    OS Version:                  6.1.7601
    Site Name:                   HIA
    Roaming Profile:             N/A
    Local Profile:               C:\Users\Admin
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=DC01,OU=Domain Controllers,DC=DomainName,DC=local
        Last time Group Policy was applied: 22-1-2014 at 11:41:59
        Group Policy was applied from:      DC01.DomainName.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        DomainName
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Default Domain Controllers Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Pre-Windows 2000 Compatible Access
            BUILTIN\Users
            Windows Authorization Access Group
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            DC01$
            Domain Controllers
            NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
            Denied RODC Password Replication Group
            System Mandatory Level
           
        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            MaxRenewAge
                    Computer Setting:  7

                GPO: Default Domain Policy
                    Policy:            LockoutDuration
                    Computer Setting:  10

                GPO: Default Domain Policy
                    Policy:            MaximumPasswordAge
                    Computer Setting:  90

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordAge
                    Computer Setting:  30

                GPO: Default Domain Policy
                    Policy:            ResetLockoutCount
                    Computer Setting:  10

                GPO: Default Domain Policy
                    Policy:            MaxServiceAge
                    Computer Setting:  600

                GPO: Default Domain Policy
                    Policy:            LockoutBadCount
                    Computer Setting:  5

                GPO: Default Domain Policy
                    Policy:            MaxClockSkew
                    Computer Setting:  5

                GPO: Default Domain Policy
                    Policy:            MaxTicketAge
                    Computer Setting:  10

                GPO: Default Domain Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  10

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  8

            Audit Policy
            ------------
                GPO: Default Domain Policy
                    Policy:            AuditPolicyChange
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditAccountManage
                    Computer Setting:  Failure

                GPO: Default Domain Controllers Policy
                    Policy:            AuditObjectAccess
                    Computer Setting:  No Auditing

                GPO: Default Domain Policy
                    Policy:            AuditDSAccess
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditPrivilegeUse
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditProcessTracking
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditAccountLogon
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditLogonEvents
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditSystemEvents
                    Computer Setting:  Failure

            User Rights
            -----------
                GPO: Default Domain Controllers Policy
                    Policy:            SyncAgentPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            MachineAccountPrivilege
                    Computer Setting:  Authenticated Users
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ChangeNotifyPrivilege
                    Computer Setting:  DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                       Everyone
                                       Administrators
                                       Authenticated Users
                                       Pre-Windows 2000 Compatible Access
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            IncreaseBasePriorityPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreateTokenPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            TakeOwnershipPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyInteractiveLogonRight
                    Computer Setting:  DomainName\SUPPORT_388945a0
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            RestorePrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DebugPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SystemTimePrivilege
                    Computer Setting:  LOCAL SERVICE
                                       Administrators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SecurityPrivilege
                    Computer Setting:  DomainName\Exchange Enterprise Servers
                                       Administrators
                                       DomainName\Exchange Servers
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ShutdownPrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                       Print Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            AuditPrivilege
                    Computer Setting:  LOCAL SERVICE
                                       NETWORK SERVICE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            InteractiveLogonRight
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Account Operators
                                       Server Operators
                                       Print Operators
                                       DomainName\IUSR_DC01
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreatePagefilePrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyNetworkLogonRight
                    Computer Setting:  DomainName\SUPPORT_388945a0
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            BatchLogonRight
                    Computer Setting:  DomainName\NL19686-a
                                       DomainName\svc-backup2
                                       DomainName\IIS_WPG
                                       DomainName\IWAM_DC01
                                       LOCAL SERVICE
                                       DomainName\SUPPORT_388945a0
                                       DomainName\Administrator
                                       DomainName\IUSR_DC01
                                       DomainName\admsrv
                                       DomainName\svc-backup
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            LockMemoryPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            NetworkLogonRight
                    Computer Setting:  Authenticated Users
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreatePermanentPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            SystemProfilePrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            TcbPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            DenyBatchLogonRight
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            ServiceLogonRight
                    Computer Setting:  NETWORK SERVICE
                                       DomainName\admsrv
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            RemoteShutdownPrivilege
                    Computer Setting:  Administrators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            BackupPrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            EnableDelegationPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            UndockPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SystemEnvironmentPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyServiceLogonRight
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            LoadDriverPrivilege
                    Computer Setting:  Administrators
                                       Print Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            IncreaseQuotaPrivilege
                    Computer Setting:  DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                       LOCAL SERVICE
                                       NETWORK SERVICE
                                       Administrators
                                       DomainName\IWAM_DC01
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ProfileSingleProcessPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            AssignPrimaryTokenPrivilege
                    Computer Setting:  LOCAL SERVICE
                                       NETWORK SERVICE
                                       DomainName\IWAM_DC01
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            PasswordComplexity
                    Computer Setting:  Enabled

                GPO: Default Domain Policy
                    Policy:            ClearTextPassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ForceLogoffWhenHourExpire
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            RequireLogonToChangePassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            TicketValidateClient
                    Computer Setting:  Enabled

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59059
                    ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
                    Computer Setting:  2

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59013
                    ValueName:         MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59043
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59044
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59018
                    ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59031
                    ValueName:         MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
                    Computer Setting:  14

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoSlowLink
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoBackgroundPolicy
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoGPOListChanges
                    Value:       0, 0, 0, 0
                    State:       Enabled

    =========================================================================

    Wednesday, January 22, 2014 11:03 AM
  • Thanks for your help.

    Yes this is verry strange indeed.

    There are no fine grained pw policies configured (domain func level 2003 the servers are 2008 R2)

    Check the difference in the account policies.

     

    rsop DC01:

    =========================================================================
    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 22-1-2014 at 11:46:19

     

    RSOP data for DomainName\Admin on DC01 : Logging Mode
    -----------------------------------------------------------------

    OS Configuration:            Primary Domain Controller
    OS Version:                  6.1.7601
    Site Name:                   HIA
    Roaming Profile:             N/A
    Local Profile:               C:\Users\Admin
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=DC01,OU=Domain Controllers,DC=DomainName,DC=local
        Last time Group Policy was applied: 22-1-2014 at 11:41:59
        Group Policy was applied from:      DC01.DomainName.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        DomainName
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Default Domain Controllers Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Pre-Windows 2000 Compatible Access
            BUILTIN\Users
            Windows Authorization Access Group
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            DC01$
            Domain Controllers
            NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
            Denied RODC Password Replication Group
            System Mandatory Level
           
        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            MaxRenewAge
                    Computer Setting:  7

                GPO: Default Domain Policy
                    Policy:            LockoutDuration
                    Computer Setting:  10

                GPO: Default Domain Policy
                    Policy:            MaximumPasswordAge
                    Computer Setting:  90

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordAge
                    Computer Setting:  30

                GPO: Default Domain Policy
                    Policy:            ResetLockoutCount
                    Computer Setting:  10

                GPO: Default Domain Policy
                    Policy:            MaxServiceAge
                    Computer Setting:  600

                GPO: Default Domain Policy
                    Policy:            LockoutBadCount
                    Computer Setting:  5

                GPO: Default Domain Policy
                    Policy:            MaxClockSkew
                    Computer Setting:  5

                GPO: Default Domain Policy
                    Policy:            MaxTicketAge
                    Computer Setting:  10

                GPO: Default Domain Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  10

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  8

            Audit Policy
            ------------
                GPO: Default Domain Policy
                    Policy:            AuditPolicyChange
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditAccountManage
                    Computer Setting:  Failure

                GPO: Default Domain Controllers Policy
                    Policy:            AuditObjectAccess
                    Computer Setting:  No Auditing

                GPO: Default Domain Policy
                    Policy:            AuditDSAccess
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditPrivilegeUse
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditProcessTracking
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditAccountLogon
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditLogonEvents
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditSystemEvents
                    Computer Setting:  Failure

            User Rights
            -----------
                GPO: Default Domain Controllers Policy
                    Policy:            SyncAgentPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            MachineAccountPrivilege
                    Computer Setting:  Authenticated Users
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ChangeNotifyPrivilege
                    Computer Setting:  DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                       Everyone
                                       Administrators
                                       Authenticated Users
                                       Pre-Windows 2000 Compatible Access
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            IncreaseBasePriorityPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreateTokenPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            TakeOwnershipPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyInteractiveLogonRight
                    Computer Setting:  DomainName\SUPPORT_388945a0
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            RestorePrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DebugPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SystemTimePrivilege
                    Computer Setting:  LOCAL SERVICE
                                       Administrators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SecurityPrivilege
                    Computer Setting:  DomainName\Exchange Enterprise Servers
                                       Administrators
                                       DomainName\Exchange Servers
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ShutdownPrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                       Print Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            AuditPrivilege
                    Computer Setting:  LOCAL SERVICE
                                       NETWORK SERVICE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            InteractiveLogonRight
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Account Operators
                                       Server Operators
                                       Print Operators
                                       DomainName\IUSR_DC01
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreatePagefilePrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyNetworkLogonRight
                    Computer Setting:  DomainName\SUPPORT_388945a0
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            BatchLogonRight
                    Computer Setting:  DomainName\NL19686-a
                                       DomainName\svc-backup2
                                       DomainName\IIS_WPG
                                       DomainName\IWAM_DC01
                                       LOCAL SERVICE
                                       DomainName\SUPPORT_388945a0
                                       DomainName\Administrator
                                       DomainName\IUSR_DC01
                                       DomainName\admsrv
                                       DomainName\svc-backup
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            LockMemoryPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            NetworkLogonRight
                    Computer Setting:  Authenticated Users
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreatePermanentPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            SystemProfilePrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            TcbPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            DenyBatchLogonRight
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            ServiceLogonRight
                    Computer Setting:  NETWORK SERVICE
                                       DomainName\admsrv
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            RemoteShutdownPrivilege
                    Computer Setting:  Administrators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            BackupPrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            EnableDelegationPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            UndockPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SystemEnvironmentPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyServiceLogonRight
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            LoadDriverPrivilege
                    Computer Setting:  Administrators
                                       Print Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            IncreaseQuotaPrivilege
                    Computer Setting:  DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                       LOCAL SERVICE
                                       NETWORK SERVICE
                                       Administrators
                                       DomainName\IWAM_DC01
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ProfileSingleProcessPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            AssignPrimaryTokenPrivilege
                    Computer Setting:  LOCAL SERVICE
                                       NETWORK SERVICE
                                       DomainName\IWAM_DC01
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            PasswordComplexity
                    Computer Setting:  Enabled

                GPO: Default Domain Policy
                    Policy:            ClearTextPassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ForceLogoffWhenHourExpire
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            RequireLogonToChangePassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            TicketValidateClient
                    Computer Setting:  Enabled

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59059
                    ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
                    Computer Setting:  2

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59013
                    ValueName:         MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59043
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59044
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59018
                    ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59031
                    ValueName:         MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
                    Computer Setting:  14

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoSlowLink
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoBackgroundPolicy
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoGPOListChanges
                    Value:       0, 0, 0, 0
                    State:       Enabled

    =========================================================================

    Wednesday, January 22, 2014 11:07 AM
  • can you post the same from dc02 or 03 please

    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, January 22, 2014 11:09 AM
  • RSOP DC02:

    =========================================================================
    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 22-1-2014 at 11:40:29

     

    RSOP data for DomainName\Admin on DC02 : Logging Mode
    -----------------------------------------------------------------

    OS Configuration:            Additional/Backup Domain Controller
    OS Version:                  6.1.7601
    Site Name:                   HIA
    Roaming Profile:             N/A
    Local Profile:               C:\Users\Admin
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=DC02,OU=Domain Controllers,DC=DomainName,DC=local
        Last time Group Policy was applied: 22-1-2014 at 11:38:13
        Group Policy was applied from:      DC02.DomainName.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        DomainName
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Default Domain Controllers Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Pre-Windows 2000 Compatible Access
            BUILTIN\Users
            Windows Authorization Access Group
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            DC02$
            Domain Controllers
            NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
            Denied RODC Password Replication Group
            System Mandatory Level
           
        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            MaxRenewAge
                    Computer Setting:  7

                GPO: Default Domain Policy
                    Policy:            MaxServiceAge
                    Computer Setting:  600

                GPO: Default Domain Policy
                    Policy:            MaxClockSkew
                    Computer Setting:  5

                GPO: Default Domain Policy
                    Policy:            MaxTicketAge
                    Computer Setting:  10

            Audit Policy
            ------------
                GPO: Default Domain Policy
                    Policy:            AuditPolicyChange
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditAccountManage
                    Computer Setting:  Failure

                GPO: Default Domain Controllers Policy
                    Policy:            AuditObjectAccess
                    Computer Setting:  No Auditing

                GPO: Default Domain Policy
                    Policy:            AuditDSAccess
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditPrivilegeUse
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditProcessTracking
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditAccountLogon
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditLogonEvents
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditSystemEvents
                    Computer Setting:  Failure

            User Rights
            -----------
                GPO: Default Domain Controllers Policy
                    Policy:            SyncAgentPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            MachineAccountPrivilege
                    Computer Setting:  Authenticated Users
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ChangeNotifyPrivilege
                    Computer Setting:  DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                       Everyone
                                       Administrators
                                       Authenticated Users
                                       Pre-Windows 2000 Compatible Access
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            IncreaseBasePriorityPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreateTokenPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            TakeOwnershipPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyInteractiveLogonRight
                    Computer Setting:  DomainName\SUPPORT_388945a0
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            RestorePrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DebugPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SystemTimePrivilege
                    Computer Setting:  LOCAL SERVICE
                                       Administrators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SecurityPrivilege
                    Computer Setting:  DomainName\Exchange Enterprise Servers
                                       Administrators
                                       DomainName\Exchange Servers
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ShutdownPrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                       Print Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            AuditPrivilege
                    Computer Setting:  LOCAL SERVICE
                                       NETWORK SERVICE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            InteractiveLogonRight
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Account Operators
                                       Server Operators
                                       Print Operators
                                       DomainName\IUSR_DC01
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreatePagefilePrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyNetworkLogonRight
                    Computer Setting:  DomainName\SUPPORT_388945a0
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            BatchLogonRight
                    Computer Setting:  DomainName\NL19686-a
                                       DomainName\svc-backup2
                                       DomainName\IIS_WPG
                                       DomainName\IWAM_DC01
                                       LOCAL SERVICE
                                       DomainName\SUPPORT_388945a0
                                       DomainName\Administrator
                                       DomainName\IUSR_DC01
                                       DomainName\admsrv
                                       DomainName\svc-backup
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            LockMemoryPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            NetworkLogonRight
                    Computer Setting:  Authenticated Users
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreatePermanentPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            SystemProfilePrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            TcbPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            DenyBatchLogonRight
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            ServiceLogonRight
                    Computer Setting:  NETWORK SERVICE
                                       DomainName\admsrv
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            RemoteShutdownPrivilege
                    Computer Setting:  Administrators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            BackupPrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            EnableDelegationPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            UndockPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SystemEnvironmentPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyServiceLogonRight
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            LoadDriverPrivilege
                    Computer Setting:  Administrators
                                       Print Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            IncreaseQuotaPrivilege
                    Computer Setting:  DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                       LOCAL SERVICE
                                       NETWORK SERVICE
                                       Administrators
                                       DomainName\IWAM_DC01
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ProfileSingleProcessPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            AssignPrimaryTokenPrivilege
                    Computer Setting:  LOCAL SERVICE
                                       NETWORK SERVICE
                                       DomainName\IWAM_DC01
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            TicketValidateClient
                    Computer Setting:  Enabled

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59059
                    ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
                    Computer Setting:  2

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59013
                    ValueName:         MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59043
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59044
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59018
                    ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59031
                    ValueName:         MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
                    Computer Setting:  14

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoGPOListChanges
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoSlowLink
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoBackgroundPolicy
                    Value:       0, 0, 0, 0
                    State:       Enabled

    =========================================================================

    Wednesday, January 22, 2014 11:10 AM
  • RSOP DC02:

    =========================================================================
    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 22-1-2014 at 11:40:29

     

    RSOP data for DomainName\Admin on DC02 : Logging Mode
    -----------------------------------------------------------------

    OS Configuration:            Additional/Backup Domain Controller
    OS Version:                  6.1.7601
    Site Name:                   HIA
    Roaming Profile:             N/A
    Local Profile:               C:\Users\Admin
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=DC02,OU=Domain Controllers,DC=DomainName,DC=local
        Last time Group Policy was applied: 22-1-2014 at 11:38:13
        Group Policy was applied from:      DC02.DomainName.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        DomainName
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Default Domain Controllers Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Pre-Windows 2000 Compatible Access
            BUILTIN\Users
            Windows Authorization Access Group
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            DC02$
            Domain Controllers
            NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
            Denied RODC Password Replication Group
            System Mandatory Level
           
        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            MaxRenewAge
                    Computer Setting:  7

                GPO: Default Domain Policy
                    Policy:            MaxServiceAge
                    Computer Setting:  600

                GPO: Default Domain Policy
                    Policy:            MaxClockSkew
                    Computer Setting:  5

                GPO: Default Domain Policy
                    Policy:            MaxTicketAge
                    Computer Setting:  10

            Audit Policy
            ------------
                GPO: Default Domain Policy
                    Policy:            AuditPolicyChange
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditAccountManage
                    Computer Setting:  Failure

                GPO: Default Domain Controllers Policy
                    Policy:            AuditObjectAccess
                    Computer Setting:  No Auditing

                GPO: Default Domain Policy
                    Policy:            AuditDSAccess
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditPrivilegeUse
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditProcessTracking
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditAccountLogon
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditLogonEvents
                    Computer Setting:  Failure

                GPO: Default Domain Policy
                    Policy:            AuditSystemEvents
                    Computer Setting:  Failure

            User Rights
            -----------
                GPO: Default Domain Controllers Policy
                    Policy:            SyncAgentPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            MachineAccountPrivilege
                    Computer Setting:  Authenticated Users
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ChangeNotifyPrivilege
                    Computer Setting:  DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                       Everyone
                                       Administrators
                                       Authenticated Users
                                       Pre-Windows 2000 Compatible Access
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            IncreaseBasePriorityPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreateTokenPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            TakeOwnershipPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyInteractiveLogonRight
                    Computer Setting:  DomainName\SUPPORT_388945a0
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            RestorePrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DebugPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SystemTimePrivilege
                    Computer Setting:  LOCAL SERVICE
                                       Administrators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SecurityPrivilege
                    Computer Setting:  DomainName\Exchange Enterprise Servers
                                       Administrators
                                       DomainName\Exchange Servers
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ShutdownPrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                       Print Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            AuditPrivilege
                    Computer Setting:  LOCAL SERVICE
                                       NETWORK SERVICE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            InteractiveLogonRight
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Account Operators
                                       Server Operators
                                       Print Operators
                                       DomainName\IUSR_DC01
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreatePagefilePrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyNetworkLogonRight
                    Computer Setting:  DomainName\SUPPORT_388945a0
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            BatchLogonRight
                    Computer Setting:  DomainName\NL19686-a
                                       DomainName\svc-backup2
                                       DomainName\IIS_WPG
                                       DomainName\IWAM_DC01
                                       LOCAL SERVICE
                                       DomainName\SUPPORT_388945a0
                                       DomainName\Administrator
                                       DomainName\IUSR_DC01
                                       DomainName\admsrv
                                       DomainName\svc-backup
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            LockMemoryPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            NetworkLogonRight
                    Computer Setting:  Authenticated Users
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            CreatePermanentPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            SystemProfilePrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            TcbPrivilege
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            DenyBatchLogonRight
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            ServiceLogonRight
                    Computer Setting:  NETWORK SERVICE
                                       DomainName\admsrv
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            RemoteShutdownPrivilege
                    Computer Setting:  Administrators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            BackupPrivilege
                    Computer Setting:  Administrators
                                       Backup Operators
                                       Server Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            EnableDelegationPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            UndockPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            SystemEnvironmentPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            DenyServiceLogonRight
                    Computer Setting:  N/A

                GPO: Default Domain Controllers Policy
                    Policy:            LoadDriverPrivilege
                    Computer Setting:  Administrators
                                       Print Operators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            IncreaseQuotaPrivilege
                    Computer Setting:  DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                       LOCAL SERVICE
                                       NETWORK SERVICE
                                       Administrators
                                       DomainName\IWAM_DC01
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            ProfileSingleProcessPrivilege
                    Computer Setting:  Administrators
                                      
                GPO: Default Domain Controllers Policy
                    Policy:            AssignPrimaryTokenPrivilege
                    Computer Setting:  LOCAL SERVICE
                                       NETWORK SERVICE
                                       DomainName\IWAM_DC01
                                       DomainName\SQLServer2005MSSQLUser$DC01-HIA$MICROSOFT##SSEE
                                      
            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            TicketValidateClient
                    Computer Setting:  Enabled

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59059
                    ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
                    Computer Setting:  2

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59013
                    ValueName:         MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59043
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59044
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                    Computer Setting:  1

                GPO: Default Domain Controllers Policy
                    Policy:            @wsecedit.dll,-59018
                    ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59031
                    ValueName:         MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
                    Computer Setting:  14

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoGPOListChanges
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoSlowLink
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoBackgroundPolicy
                    Value:       0, 0, 0, 0
                    State:       Enabled

    =========================================================================

    Wednesday, January 22, 2014 11:13 AM
  • the password policies have applied on 02.

    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, January 22, 2014 11:15 AM
  • Before i checked it with rsop.msc There it says not defined.

    But do you see the difference?:

    DC01:

     Account Policies
             ----------------
                 GPO: Default Domain Policy
                     Policy:            MaxRenewAge
                     Computer Setting:  7

                GPO: Default Domain Policy
                     Policy:            LockoutDuration
                     Computer Setting:  10

                GPO: Default Domain Policy
                     Policy:            MaximumPasswordAge
                     Computer Setting:  90

                GPO: Default Domain Policy
                     Policy:            MinimumPasswordAge
                     Computer Setting:  30

                GPO: Default Domain Policy
                     Policy:            ResetLockoutCount
                     Computer Setting:  10

                GPO: Default Domain Policy
                     Policy:            MaxServiceAge
                     Computer Setting:  600

                GPO: Default Domain Policy
                     Policy:            LockoutBadCount
                     Computer Setting:  5

                GPO: Default Domain Policy
                     Policy:            MaxClockSkew
                     Computer Setting:  5

                GPO: Default Domain Policy
                     Policy:            MaxTicketAge
                     Computer Setting:  10

                GPO: Default Domain Policy
                     Policy:            PasswordHistorySize
                     Computer Setting:  10

                GPO: Default Domain Policy
                     Policy:            MinimumPasswordLength
                     Computer Setting:  8


    DC02:

           Account Policies
             ----------------
                 GPO: Default Domain Policy
                     Policy:            MaxRenewAge
                     Computer Setting:  7

                GPO: Default Domain Policy
                     Policy:            MaxServiceAge
                     Computer Setting:  600

                GPO: Default Domain Policy
                     Policy:            MaxClockSkew
                     Computer Setting:  5

                GPO: Default Domain Policy
                     Policy:            MaxTicketAge
                     Computer Setting:  10

    Wednesday, January 22, 2014 11:20 AM
  • the gpresults show fine - did you re-run the rsop?

    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, January 22, 2014 11:44 AM
  • Yes and I just did annother one:

    But how do you explain the difference in the rsop of Dc01 and 02?

    Still says not defined..

    Cannot post images yet..

    Wednesday, January 22, 2014 12:05 PM
  • im not sure why you are seeing not definded in rsop but the gpo is being applied as we see through gpresult. GPresult is the tool of choice for troubleshooting gpo's.

    are your event logs showing any errors on the DC's?

    are you able to restart either dc02 or dc03?


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, January 22, 2014 12:12 PM
  • No errors in the eventlogs, just some warnings but nothin about gpo's.
    Wednesday, January 22, 2014 12:39 PM
  • Hi Arjan,

    Based on my research, in each domain, GPMC uses the same domain controller for all operations in that domain, PDC by default, in order to avoid synchronization issues.

    Would you please tell us is DC1 the PDC emulator?

    If yes, then this behavior is normal, you can refer to this KB article below:

    Some security policies are displayed as "Not Defined" in the RSoP snap-in on a Windows Server 2003, 2008 or 2008 R2 based domain controller

    http://support.microsoft.com/kb/927908/en-us

    You can verify if the account policies have been replicated to DC2 and DC3 by running net accounts/domain command on them.

    More information for you:

    Group Policy Replication and Domain Controller Selection (Group Policy Infrastructure)

    http://technet.microsoft.com/en-us/library/cc779403(v=WS.10).aspx

    I hope this helps.

    Best Regards,

    Amy Wang

    Tuesday, January 28, 2014 2:50 AM