Password enforcement mess... Local Group Policy was set on DC

OK, so I was asked to change the domain password policy a couple months ago to extend the maximum password age. For all of our domains, the password policy is linked at the domain level and is the only policy that has any settings for passwords configured; these policies were modified as requested.

60 days later, I'm getting calls about one of the domains - users are still required to change the password at 60 days rather than having the extended age of 120 days. The other domains are working as expected. All the reports and diagnostics that I had at my disposal indicated that the setting for this domain in question was in fact 120 days, but it wasn't actually being applied.

I logged into the domain root DC and looked at Local GP for the computer, and all of the same settings I had in the old Password GP for this domain were set in Local GP; and moreover there wasn't a way to "unapply" the settings, you could set them to a value but that's it. It was overriding my domain policies for this domain.

To workaround, I just changed that local GPO to the required 120 days... but how do I make it so that the policy at the domain level is always the one that gets applied to domain user accounts... or make it ignore the Local GP setting that is set on that domain controller? I get that domain accounts are "local" accounts as far as the domain controller is concerned, but even if setting a Local GP on a DC were valid, the domain policy should "just work"... right? Domain policy should win in GP Precedence.

Blargoe

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

vCole

Reset the local GPO.

blargoe

The local GP, local security on EVERY domain controller shows the settings that I configured on the Local GP that I mentioned above. Since this is security I guess I'd have to use secedit and try to repair/replace the security templates to default... to be honest I haven't had to mess with any of that in so long I'd have to test it in my lab. If it's going to affect all of my domain controllers, I probably won't even risk it. I would still think the domain settings should be taking precedence.

rwwest7

blargoe wrote: »

The local GP, local security on EVERY domain controller shows the settings that I configured on the Local GP that I mentioned above. Since this is security I guess I'd have to use secedit and try to repair/replace the security templates to default... to be honest I haven't had to mess with any of that in so long I'd have to test it in my lab. If it's going to affect all of my domain controllers, I probably won't even risk it. I would still think the domain settings should be taking precedence.

This makes no sense. When you promote a server to a DC you lose your Local Security policy and all local accounts. How are you editing the local policy on a DC??? All domain password settings should be managed from the Default Domain Policy.

HeroPsycho

Also, remember that all password settings have to actually come from the original Default Domain policy. You can't make a copy and edit that GPO. It must be the original.

blargoe

Oh yeah, I agree that it doesn't make any sense. I've never set anything (other than making the change that I noted in my first post) using the Local Computer Policy mmc on the DC, but you can certainly access it through GPEdit. The only reason why I thought to finally check there, I ran "net accounts" when logged in to my domain controller, and it came back with all of my old account policy settings, so I thought I'd open it there. I would have thought that either it wouldn't let you open that MMC on a DC, or that it would open the Default Domain Policy. For me, it opened, and showed the wrong values for maximum age, the old ones. In this case, there weren't any policies anywhere in the domain that specified any account settings other than the Default Domain Policy. I wonder if that policy had just gotten hosed somehow and now isn't applying to the domain controllers correctly.

HeroPsycho

Yeah, you might want to get a report of the settings, and then run the command to rebuild the policy.