none
Default Domain Policy and Password Policy problem

    Question

  • HI, I have inherited a Server 2003 R2 domain which has not been maintained very well. There is a lot of issues with passwords, authentication etc.

    One problem I am having an issue with is users are being asked to change passwords every 14 days despite the default domain policy - Account Policies - Password Policy - Min and Max password age being not defined and password complexity being disabled.

    This is reflected in all policies linked to OU's as well.

    I can't seem to see why this is happening. We are also getting trust relationship issues where users cannot log on and the laptop needs to be taken off the domain and added again for the user to log on.

    Any help with this would be appreciated.

    One other thing..... 

    I also have a logon script running that maps a network drive via a .vbs script, a simple one. The XP machines get the mapped drive but not one of the Vista machines have the drive mapped. Any ideas on this?

    cheers in advance

    Jason
    Sydney Australia
    Tuesday, August 11, 2009 7:13 AM

Answers

All replies

  • Hi Jason,


    1) Did you try running gpresult or RSOP on the clients to check which policies are applied? I am pretty much sure this setting is sitting somewhere but you cannot find it.

    2) With regards to the script, did you try running this script on Vista machines manually to make sure that the script can be executed on Vista, maybe it is just incompatible with Vista as XP and Vista have differences in Registry. You can try adding a *.bat file with “net use” command in it, it may help you to resolve the issue.

     




    сила в справедливости
    Tuesday, August 11, 2009 3:48 PM
  • Hi Jason,

    Thank you for posting here. In order to keep trace of troubleshooting and avoid confusion, I suggest we focus on one issue currently.

    In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy, which is specified in the domain's Default Domain Policy, to all users in the domain.

    As Kudrat suggested, please run "gpresult /v" or rsop.msc to find the GPO and change policy accordingly. If necessary, you can save the report by running "gpresult /v >>C:\gp.txt" and paste here for research.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, August 12, 2009 2:59 AM
    Moderator
  • Hi and thanks for your reply.

    Yes I should of mentioned this. I have run the gpresult on the clients and the policies that are being applied do not have any password change enforcement in them. This is what is confusing me. The only way at the moment I can stop the request to change passwords is to go into the properties of each user in the domain and check "password never expires". Very tiresome!!

    Is there a security template that could have been applied that would enforce such actions on the domain?  From what I can see it is not a GP that is in place that is causing it.

    In relation to the script, yes it does run locally if executed. It is just not appliying over the network. Either via a ethernet connection or the wireless connection. All the XP machines work but not 1 vista machine works. The AD schema has been extended.

    Can I get some more info on the .bat file with a net use command?

    Please excuse my lack of experience.

    thanks in advance.
    Wednesday, August 12, 2009 3:04 AM
  • Mervyn,
    thanks for your reply.

    I have posted the contents of the gpresult.

    Thanks in advance


    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 8/12/2009 at 3:29:10 PM

     

    RSOP data for SSMS\liz.ghali on LIZLAPTOP : Logging Mode
    ---------------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  6.0.6002
    Site Name:                   Gymea-Campus
    Roaming Profile:             N/A
    Local Profile:               C:\Users\liz.ghali
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=LIZLAPTOP,CN=Computers,DC=___,DC=___,DC=___,DC=com
        Last time Group Policy was applied: 8/12/2009 at 2:31:27 PM
        Group Policy was applied from:      schoolDC2.__________
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        SSMS
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            IIS_WPG
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            LIZLAPTOP$
            Domain Computers
            System Mandatory Level
           
        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  2

            Audit Policy
            ------------
                GPO: Default Domain Policy
                    Policy:            AuditPolicyChange
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditAccountManage
                    Computer Setting:  Success

                GPO: Default Domain Policy
                    Policy:            AuditObjectAccess
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditDSAccess
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditPrivilegeUse
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditProcessTracking
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditAccountLogon
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditLogonEvents
                    Computer Setting:  Success, Failure

                GPO: Default Domain Policy
                    Policy:            AuditSystemEvents
                    Computer Setting:  Success, Failure

            User Rights
            -----------
                GPO: Default Domain Policy
                    Policy:            MachineAccountPrivilege
                    Computer Setting:  SSMS\Administrator
                                       SSMS\hani
                                       SSMS\jason
                                       SSMS\Teachers
                                      
                GPO: Default Domain Policy
                    Policy:            TakeOwnershipPrivilege
                    Computer Setting:  SSMS\jason
                                       SSMS\Enterprise Admins
                                      
                GPO: Default Domain Policy
                    Policy:            ShutdownPrivilege
                    Computer Setting:  Everyone
                                      
                GPO: Default Domain Policy
                    Policy:            InteractiveLogonRight
                    Computer Setting:  Administrators
                                       Authenticated Users
                                       Everyone
                                       SSMS\Domain Users
                                       SSMS\HighSchool Students
                                       SSMS\Remote Access
                                       SSMS\Teachers
                                       Users
                                      
                GPO: Default Domain Policy
                    Policy:            NetworkLogonRight
                    Computer Setting:  SSMS\Teachers
                                       SSMS\HighSchool Students
                                       SSMS\Administrator
                                       Everyone
                                      
                GPO: Default Domain Policy
                    Policy:            TcbPrivilege
                    Computer Setting:  SSMS\Administrator
                                      
                GPO: Default Domain Policy
                    Policy:            RemoteShutdownPrivilege
                    Computer Setting:  SSMS\Domain Admins
                                      
                GPO: Default Domain Policy
                    Policy:            RemoteInteractiveLogonRight
                    Computer Setting:  SSMS\test.student
                                       SSMS\student
                                       SSMS\liz.ghali
                                       SSMS\jason
                                       SSMS\hani
                                       SSMS\Administrator
                                      
            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            PasswordComplexity
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ClearTextPassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ForceLogoffWhenHourExpire
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            RequireLogonToChangePassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            EnableAdminAccount
                    Computer Setting:  Enabled

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59022
                    ValueName:         MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59043
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                    Computer Setting:  0

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59044
                    ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                    Computer Setting:  0

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59055
                    ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest
                    Computer Setting:  0

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59018
                    ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                    Computer Setting:  0

            Event Log Settings
            ------------------
                GPO: Default Domain Policy
                    Policy:            MaximumLogSize
                    Computer Setting:  16384
                    Log Name:          Security

                GPO: Default Domain Policy
                    Policy:            RetentionDays
                    Computer Setting:  0
                    Log Name:          Application

                GPO: Default Domain Policy
                    Policy:            MaximumLogSize
                    Computer Setting:  16384
                    Log Name:          Application

                GPO: Default Domain Policy
                    Policy:            RetentionDays
                    Computer Setting:  0
                    Log Name:          Security

                GPO: Default Domain Policy
                    Policy:            MaximumLogSize
                    Computer Setting:  16384
                    Log Name:          System

                GPO: Default Domain Policy
                    Policy:            RetentionDays
                    Computer Setting:  0
                    Log Name:          System

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                GPO: Default Domain Policy
                    ServiceName: TermService
                    Startup:     Automatic

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\DNSClient\RegisterReverseLookup
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\DNSClient\RegistrationEnabled
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowSP
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Reliability\ShutdownReasonUI
                    State:       disabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Reliability\ShutdownReasonOn
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Terminal Services\fWritableTSCCPermTab
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\System\GroupPolicyRefreshTime
                    Value:       160, 5, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Cryptography\AutoEnrollment\AEPolicy
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\System\GroupPolicyRefreshTimeOffset
                    Value:       224, 1, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\ServerThread
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Network Connections\NC_PersonalFirewallConfig
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy
                    Value:       1, 0, 0, 0
                    State:       Enabled


    USER SETTINGS
    --------------
        CN=Liz Ghali,OU=Admins,DC=___,DC=___,DC=___,DC=com
        Last time Group Policy was applied: 8/12/2009 at 3:15:50 PM
        Group Policy was applied from:      schoolDC2.__________
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        SSMS
        Domain Type:                        Windows 2000
       
        Applied Group Policy Objects
        -----------------------------
            Proxy On
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            outlook backup users
            Office Administration
            Teachers
            Remote Access
            IM Allowed
            High Mandatory Level
           
        The user has the following security privileges
        ----------------------------------------------

            Bypass traverse checking
            Shut down the system
            Manage auditing and security log
            Back up files and directories
            Restore files and directories
            Change the system time
            Debug programs
            Modify firmware environment values
            Profile system performance
            Profile single process
            Increase scheduling priority
            Load and unload device drivers
            Create a pagefile
            Adjust memory quotas for a process
            Remove computer from docking station
            Perform volume maintenance tasks
            Impersonate a client after authentication
            Create global objects
            Change the time zone
            Create symbolic links
            Increase a process working set
            Add workstations to domain

        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                GPO: Default Domain Policy
                    Name:         school_network_drive_1.vbs
                    Parameters:  
                    LastExecuted: This script has not yet been executed.

            Logoff Scripts
            --------------
            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\SharedFolders\PublishSharedFolders
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAddPrinter
                    State:       disabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ServerList
                    State:       disabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\TrustedServers
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\Restricted
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\InForest
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\Wizard\Printers Page URL
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 115, 0, 99, 0, 104, 0, 111, 0, 111, 0, 108, 0, 100, 0, 99, 0, 47, 0, 112, 0, 114, 0, 105, 0, 110, 0, 116, 0, 101, 0, 114, 0, 115, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\Wizard\Downlevel Browse
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess
                    State:       disabled

            Folder Redirection
            ------------------
                N/A

            Internet Explorer Browser User Interface
            ----------------------------------------
                GPO: Proxy On
                    Large Animated Bitmap Name:      N/A
                    Large Custom Logo Bitmap Name:   N/A
                    Title BarText:                   N/A
                    UserAgent Text:                  N/A
                    Delete existing toolbar buttons: No

            Internet Explorer Connection
            ----------------------------
                HTTP Proxy Server:   10.0.0.254:8080
                Secure Proxy Server: 10.0.0.254:8080
                FTP Proxy Server:    10.0.0.254:8080
                Gopher Proxy Server: 10.0.0.254:8080
                Socks Proxy Server:  10.0.0.254:8080
                Auto Config Enable:  Yes
                Enable Proxy:        No
                Use same Proxy:      Yes

                HTTP Proxy Server:   10.0.0.254:8080
                Secure Proxy Server: 10.0.0.254:8080
                FTP Proxy Server:    10.0.0.254:8080
                Gopher Proxy Server: 10.0.0.254:8080
                Socks Proxy Server:  10.0.0.254:8080
                Auto Config Enable:  No
                Enable Proxy:        Yes
                Use same Proxy:      Yes

            Internet Explorer URLs
            ----------------------
                GPO: Proxy On
                    Home page URL:           N/A
                    Search page URL:         N/A
                    Online support page URL: N/A

                URL:                    http://www.google.com.au
                Make Available Offline: No

                URL:                    
                Make Available Offline: No

            Internet Explorer Security
            --------------------------
                Always Viewable Sites:     N/A
                Password Override Enabled: False

                Always Viewable Sites:     N/A
                Password Override Enabled: False

                GPO: Proxy On
                    Import the current Content Ratings Settings:      No
                    Import the current Security Zones Settings:       No
                    Import current Authenticode Security Information: No
                    Enable trusted publisher lockdown:                No

            Internet Explorer Programs
            --------------------------
                GPO: Proxy On
                    Import the current Program Settings: No

    Wednesday, August 12, 2009 5:45 AM


  • Can I get some more info on the .bat file with a net use command?

    You have to create a *.txt file and put in it following information

                 net use k: \\server\shasre

    where:

     k:                                   is a letter you want to assign to your mapped drive

    \\server\shasre                 is a UNC path to the shared folder which you want to connect as a mapped drive.

    once you've done it you have to rename the file into *.bat

    сила в справедливости
    Wednesday, August 12, 2009 8:15 AM
  • Hi,

    The Vista mapped Drive issue may be caused by UAC, please refer to the following thread:

    Can't Map Drives via GPO Logon JScript
    http://social.technet.microsoft.com/forums/en-US/winserverGP/thread/c79bcdbb-c00c-4126-a441-293a5caf13fc

    As a workaround, you can use the following script to set Password Never Expires attributes for users.

    How Can I Configure an Active Directory Account So the Password Never Expires?
    http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct06/hey1031.mspx .

    However, it’s not suggested to enable Password never Expires attribute for all users.

    Please help to collect gpresult of the Domain Controller for research. Or open gpedit.msc to check Local Policy on DC. If the DC Local Policy was configured, please refer to the following article to set maximum password age policy.

    How maximum password age is implemented
     http://support.microsoft.com/kb/236373

    Thanks.

     


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, August 12, 2009 11:07 AM
    Moderator
  • Hi,

    Do you need any other assistance? If there is anything we can do for you, please let us know.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, August 17, 2009 6:18 AM
    Moderator
  • I will post the gpresult from the DC as well as it is not the default GP on the domain that is causing the password changes.

    If the domain controller is set to have a password change policy then why would that cause it to happen to users on the domain? Should that not be specific to users logging onto the domain controller?

    thanks
    Thursday, August 20, 2009 2:27 AM
  • Hi,

    All user password operations are performed on DC even if the user is not logged on DC. This requires the user password must meet the Domain Controller Policy.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, August 24, 2009 7:19 AM
    Moderator
  • Hi,

     

    Is there anything we can do for you? If so, please let us know, we will try our best to help.

     

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, September 03, 2009 6:03 AM
    Moderator