none
Password Policy Not Working

    Question

  • Hello,

    I have the password policy shown below and it seems not to be working. It is link Enabled but not enforced and the only password policy in the domain. One domain controller is 2012 R2 and the other one 2008 R2 with functional level set to 2008 R2.

    When I run a Group Policy Modeling I get AD / SYSVOL Version Mismatch alert.

    Any suggestions will be very much appreciated.

    Thank You

    Thursday, November 17, 2016 3:56 PM

Answers

  • It seems to be working now. I think what fixed it was running the dcgpofix tool that restores the Default Domain Policy and Default Domain Controller Policy to their "day one" condition.

    Note the warning below when running the said tool.

    WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
    IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.

    I still get AD / SYSVOL Version Mismatch, but all group policies work so I will leave it as is.

    • Marked as answer by perland Wednesday, November 23, 2016 6:44 PM
    Wednesday, November 23, 2016 6:44 PM

All replies

  • Hi,
    When you run the Group Policy Modeling Wizard from the Group Policy Management Console (GPMC) snap-in and the following message is displayed unexpectedly: AD / SYSVOL version mismatch, then please check the following KB to see if it works:
    "AD / SYSVOL version mismatch" message is displayed unexpectedly in the Group Policy Results report in Windows
    https://support.microsoft.com/en-us/kb/2866345
    And regarding the password policy not working in the default domain policy, please have a try to disable the Block Policy Inheritance option on the Domain Controllers organizational unit. Please check:
    Changes are not applied when you change the password policy
    https://support.microsoft.com/en-sg/kb/269236
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, November 18, 2016 5:30 AM
    Moderator
  • Thank you for your response. I had tried the hot fix and got the following error. The disable the Block Policy Inheritance is not available in my windows 2012 R2 Domain Controllers OU. In Group Policy Management MMC, there are no blue icons. I think a blue icon means Block Inheritance is on.


    • Edited by perland Friday, November 18, 2016 3:34 PM typo
    Friday, November 18, 2016 3:33 PM
  • Hi,
    Please have a try this one:
    https://support.microsoft.com/en-us/kb/2919394
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, November 21, 2016 2:31 AM
    Moderator
  • Had also tried that and got the error below. Thank You.


    Tuesday, November 22, 2016 5:18 PM
  • It seems to be working now. I think what fixed it was running the dcgpofix tool that restores the Default Domain Policy and Default Domain Controller Policy to their "day one" condition.

    Note the warning below when running the said tool.

    WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
    IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.

    I still get AD / SYSVOL Version Mismatch, but all group policies work so I will leave it as is.

    • Marked as answer by perland Wednesday, November 23, 2016 6:44 PM
    Wednesday, November 23, 2016 6:44 PM
  • Hi,
    Great and appreciate for your update and share.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, November 24, 2016 1:37 AM
    Moderator