Password enforcement mess... Local Group Policy was set on DC

blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
OK, so I was asked to change the domain password policy a couple months ago to extend the maximum password age. For all of our domains, the password policy is linked at the domain level and is the only policy that has any settings for passwords configured; these policies were modified as requested.

60 days later, I'm getting calls about one of the domains - users are still required to change the password at 60 days rather than having the extended age of 120 days. The other domains are working as expected. All the reports and diagnostics that I had at my disposal indicated that the setting for this domain in question was in fact 120 days, but it wasn't actually being applied.

I logged into the domain root DC and looked at Local GP for the computer, and all of the same settings I had in the old Password GP for this domain were set in Local GP; and moreover there wasn't a way to "unapply" the settings, you could set them to a value but that's it. It was overriding my domain policies for this domain.

To workaround, I just changed that local GPO to the required 120 days... but how do I make it so that the policy at the domain level is always the one that gets applied to domain user accounts... or make it ignore the Local GP setting that is set on that domain controller? I get that domain accounts are "local" accounts as far as the domain controller is concerned, but even if setting a Local GP on a DC were valid, the domain policy should "just work"... right? Domain policy should win in GP Precedence.

Blargoe
IT guy since 12/00

Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...

Comments

  • vColevCole Member Posts: 1,573 ■■■■■■■□□□
    Reset the local GPO.
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    The local GP, local security on EVERY domain controller shows the settings that I configured on the Local GP that I mentioned above. Since this is security I guess I'd have to use secedit and try to repair/replace the security templates to default... to be honest I haven't had to mess with any of that in so long I'd have to test it in my lab. If it's going to affect all of my domain controllers, I probably won't even risk it. I would still think the domain settings should be taking precedence.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • rwwest7rwwest7 Member Posts: 300
    blargoe wrote: »
    The local GP, local security on EVERY domain controller shows the settings that I configured on the Local GP that I mentioned above. Since this is security I guess I'd have to use secedit and try to repair/replace the security templates to default... to be honest I haven't had to mess with any of that in so long I'd have to test it in my lab. If it's going to affect all of my domain controllers, I probably won't even risk it. I would still think the domain settings should be taking precedence.
    This makes no sense. When you promote a server to a DC you lose your Local Security policy and all local accounts. How are you editing the local policy on a DC??? All domain password settings should be managed from the Default Domain Policy.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Also, remember that all password settings have to actually come from the original Default Domain policy. You can't make a copy and edit that GPO. It must be the original.
    Good luck to all!
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Oh yeah, I agree that it doesn't make any sense. I've never set anything (other than making the change that I noted in my first post) using the Local Computer Policy mmc on the DC, but you can certainly access it through GPEdit. The only reason why I thought to finally check there, I ran "net accounts" when logged in to my domain controller, and it came back with all of my old account policy settings, so I thought I'd open it there. I would have thought that either it wouldn't let you open that MMC on a DC, or that it would open the Default Domain Policy. For me, it opened, and showed the wrong values for maximum age, the old ones. In this case, there weren't any policies anywhere in the domain that specified any account settings other than the Default Domain Policy. I wonder if that policy had just gotten hosed somehow and now isn't applying to the domain controllers correctly.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Yeah, you might want to get a report of the settings, and then run the command to rebuild the policy.
    Good luck to all!
Sign In or Register to comment.