Click here to get back home

Default domain controllers policy not applied to my server (2k3 sbs)
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Default domain controllers policy not applied to my server (2k3 sbs) losvik 01-03-2006
Posted by losvik on January 3, 2006, 8:32 am
Please log in for more thread options
But when I am trying to edit the gpo named "default domain controllers
policy" nothing is happening.

What i am trying to do is adding power users to the "Allow logon
locally" and rename the administrator account.

I have tried both gpudate /force and restarting the server. I have also
tried to set the policy to enforced.

But it seems that the policy isnt activated in a way.

Any suggestions?


Posted by Steven L Umbach on January 3, 2006, 1:01 pm
Please log in for more thread options
 What exactly happens? You mean you can not open Domain Controller Security
Policy or changes you make are not working? Are there and error/warning
messages in the application/system logs? --- Steve


>
> But when I am trying to edit the gpo named "default domain controllers
> policy" nothing is happening.
>
> What i am trying to do is adding power users to the "Allow logon
> locally" and rename the administrator account.
>
> I have tried both gpudate /force and restarting the server. I have also
> tried to set the policy to enforced.
>
> But it seems that the policy isnt activated in a way.
>
> Any suggestions?
>



Posted by Ole-Kristian Losvik on January 3, 2006, 1:38 pm
Please log in for more thread options
The changes i make are not warning.

Cannot find any errors in my application/system logs

But If i right click in my ad on my server, and choose an resultant set
of
policy, I see red marks on every setting in the policy

The error message is "The policy engine did not attempt to configure
the setting. For more information, see
%windir%\security\logs\winlogon.log on the target machine."

Here is the screendumps
http://www.damp.no/web/dev/result.gif
http://www.damp.no/web/dev/result2.gif

And my winlogon log
http://www.damp.no/web/dev/winlogon.txt

The group policy modelling
http://www.damp.no/web/dev/gpm.htm

The group policy results
http://www.damp.no/web/dev/gpr.htm


Posted by Steven L Umbach on January 3, 2006, 2:20 pm
Please log in for more thread options
Hmm. Try adding a new Group Policy to the domain controller container and
put it at the top of the list above the default DC GPO. Configure just a few
non disruptive settings in that new Group Policy [do not use logon locally
or deny logon locally at this time] . Run gpupdate and see if those settings
take affect. That will help determine if there is just a problem with the
default DC GPO or something more going on. If you have not done so lately
reboot the server if at all possible. I would also run the support tools
netdiag, dcdiag, and gpotool on the domain controller to see if the results
show any problems that may help find a solution.

If it appears that there is only a problem with the default DC GPO such as
corruption you could consider using dcgpofix as a last resort option after
reading about what it does in the KB article at the link below. If you try
dcgpofix I would be sure to print out/save your current security settings
for the default DC GPO if possible so that you could restore them
afterwards. If you have a recent backup of the System State for your DC you
could also consider doing an authoritative restore of AD if you think that
the backup of the System State does not have the problem.--- Steve

http://support.microsoft.com/?id=833783 --- info on dcgpofix.

> The changes i make are not warning.
>
> Cannot find any errors in my application/system logs
>
> But If i right click in my ad on my server, and choose an resultant set
> of
> policy, I see red marks on every setting in the policy
>
> The error message is "The policy engine did not attempt to configure
> the setting. For more information, see
> %windir%\security\logs\winlogon.log on the target machine."
>
> Here is the screendumps
> http://www.damp.no/web/dev/result.gif
> http://www.damp.no/web/dev/result2.gif
>
> And my winlogon log
> http://www.damp.no/web/dev/winlogon.txt
>
> The group policy modelling
> http://www.damp.no/web/dev/gpm.htm
>
> The group policy results
> http://www.damp.no/web/dev/gpr.htm
>



Posted by Ole-Kristian Losvik on January 3, 2006, 3:17 pm
Please log in for more thread options

I am very sorry about this, but the error was that the deny logon
locally was turned on with to many users.

Should have seen this, and not bothered you.

But thanks very much for your help!

Ole


Similar ThreadsPosted
Default Domain Controllers Policy scope May 15, 2006, 11:26 am
secpol on DC vs. Default Domain Policy? November 30, 2006, 6:12 pm
ENTERPRISE DOMAIN CONTROLLERS Vs Domain Group Domain Controllers December 30, 2005, 3:08 am
Reset Group Policy back to out of the box default August 28, 2006, 11:19 am
Locking Down Domain Controllers January 26, 2007, 4:46 am
"Read-Only" branch office domain controllers? April 20, 2006, 2:34 am
Access Based Enumeration on Domain Controllers ? February 26, 2007, 6:15 pm
Microsoft PKI: problem with autoenrollment for domain controllers August 14, 2007, 8:51 am
Certs for Domain Controllers-Trying to Prevent an Issue March 19, 2008, 12:28 pm
Windows 2003, Domain Controllers & "Manage auditing and security November 1, 2006, 4:43 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap