Asked by:
NT AUTHORITY\SYSTEM Modified Default Domain Policy

Question
-
We changed our account lockout policy back in March and our password policy the first week of April. Today, we realized the changes weren't being enforced and when reviewing the settings in the default domain policy, we noticed the password and account lockout policy settings were reverted back to the original values we had set for years. After some research we found that the computer account (NT AUTHORITY\SYSTEM) on our PDC modified the settings one week to the day after we modified the password policy. No AD restore was done.
What would cause the computer account on the PDC to change the password policy and account lockout policy settings back to the original settings we've been using for years?
I've been combing through logs, forums, blogs, etc. for hours looking for an answer to this and no luck as yet, so I'm hoping someone on here may have some insight.
- Edited by MsBrowning Thursday, May 24, 2012 6:45 PM
All replies
-
Hi,
How many DC do you have in your Domain?
Modify Password Group Policy settings in one DC and check GPO status in another DC, make sure modifications can be replicated successfully.
> we noticed the password and account lockout policy settings were reverted back to the original values we
> had set for years.Do you mean revert to system default values or your defined values?
Run below command and check the result:
At the command prompt, type below commend, and then press ENTER
secedit /refreshpolicy user_policy /enforce
At the command prompt, type below commend, and then press ENTER
secedit /refreshpolicy machine_policy /enforce
For more information please refer to following MS articles:
Using SECEDIT to Force a Group Policy Refresh Immediately
http://support.microsoft.com/kb/227302
Lawrence
TechNet Community Support
- Marked as answer by Lawrence,Moderator Monday, June 4, 2012 1:11 AM
- Unmarked as answer by MsBrowning Thursday, June 21, 2012 7:31 PM
-
Similar this has happened to me as well... The values also appear to have reverted back.
Alan Burchill (MVP)
http://www.grouppolicy.biz
@alanburchill
-
Drum roll... The answer is, if someone changed the local secuirty policy setting on a local DC (e.g. net command to change the password account lockout). Then this change will be pushed into the default domain GPO so that the password policy is then consistent for the entire domain.
Moral of the story is, dont try to modify the local security policy on any domain controllers, as this could trigger it to be pushed out to the entire domain.
Hope it helps.
Alan Burchill (MVP)
http://www.grouppolicy.biz
@alanburchill
- Proposed as answer by Alan Burchill Monday, May 30, 2016 11:25 PM
-
So, I don't have anyone confessing to manually setting password policy via secpol or net on a DC. Cowards. How do I undo their damage? It feels like if I repeat their error to put my desired password policy in place, I'll cause a problem for the future admins.
-
Better Solution: Do not modify the Default Domain Policy but create yourown and link it above the DDP :-))
Late entrant to the discussion, but I would actually argue against this point.
Use the Default Domain Policy for these settings:
- It is a kindness to any successor -- they don't have to do the math/logic to determine where it is in your environment at anyway (though, adminittedly, it should be really easy to find as the true domain-wide password policy really can only be linked at the domain).
- The Native AD Cmdlet Set-ADDefaultDomainPasswordPolicy works with password settings in this GPO only.