As we know, Domain Controllers take the account policies from DDGPO only, and from no other GPO.
So problem was, we had enabled Block Policy Inheritance on Domain Controllers OU, and DDGPO was not enforced.
We had thought that since account policy values are special case, so normal GPO processing feature like blocking policy inheritance should not create problem, apparently it does create problem.
So we have two option, either we remove the block policy inheritance from DC OU, or enforce the DDGPO.
--
Kamlesh
On 10/7/05, Kamlesh Parmar <[EMAIL PROTECTED]> wrote:
Sorry, if i was not clear.Problem occurs on same DC,i.e. say, I change the value of maxpwdage in DDGPO and go to adsiedit.msc and look for the value reflected on Domain object, it doesn't !Then if I change the value at attribute level using adsiedit, this value once set using adsiedit doesn't get reverted, so replication related issue is not there.I have tried changing DDGPO on around 3 different DCs, to make sure it is not a issue with a single DC.I also verified the metadata for originating DC and stuff, it shows correct info about the DC where I used the adsiedit.--On 10/7/05, joe <[EMAIL PROTECTED]> wrote:1. Verify that the policy is actually replicated to all DCs properly.2. Verify when the values were last set by looking at the metadata. Beware of a high version number and the value constantly incrementing, it means one or more DCs is fighting over the policy values.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Thursday, October 06, 2005 2:33 AM
To: [email protected]
Subject: [ActiveDir] Fwd: password policy not getting reflected on Domain object
Hey guys any pointers on this issue?
---------- Forwarded message ----------
From: Kamlesh Parmar < [EMAIL PROTECTED]>
Date: Oct 5, 2005 1:02 AM
Subject: password policy not getting reflected on Domain object
To: [email protected]
Hi All,
I tried to search the archives, but couldn't find anything relevant,
anyway,
In our domain, in past, due to replication issue, our password & account lockout policy was getting reverted back to defaults.
we cleared the replication issues, but now if we change the password or account lockout policy in DDGPO, it doesn't get applied to domain object.
The values of maxpwdage,minpwdage etc., on Domain object are not reflecting the values set in DDGPO.
for the time being, i had set the values directly on domain object using adsiedit.msc
Shud I just take a backup and run DCGPOFIX? or any other things I should look at ?
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
