Options
Problems applying settings in GPO to DC
I'm doing some testing on some GPO's and I'm seeing a repeatable issue, and I'm curious if anyone has seen this/has any ideas on how to resolve.
I'm trying to assign the following settings via GPO to a 2003 DC:
Local Computer Config\Computer Config\Security Settings\Account Policies\Kerberos Policies (Enforce user logon restrictions, Maximum Lifetime for service ticket, Maximum Lifetime for user ticket, Maximum Lifetime for user ticket renewal, Maximum tolerance for computer clock sync)
I've defined these settings in a GPO, and assigned that GPO to the "Domain Controllers" OU. When I do a gpupdate/force and reboot, and then go to gpedit.msc and check, the settings are not applied. In fact, they say not applicable.
The only way I have found to have the settings applied is to open the MMC, add the Security Configuration and Analysis snapin, and then when I analyze the computer against the DC Security.inf file, the settings I mentioned above come back as Database Setting = Not Defined Computer Setting = Error Analyzing. Now I can open the settings, select "Define this policy in the database" then once I'm done "configure computer now" and it will apply the settings.
What I'm baffled on is shouldn't I be able to apply these settings via GPO vs manually "massaging" them? Am I completely missing something here?
-Richard
I'm trying to assign the following settings via GPO to a 2003 DC:
Local Computer Config\Computer Config\Security Settings\Account Policies\Kerberos Policies (Enforce user logon restrictions, Maximum Lifetime for service ticket, Maximum Lifetime for user ticket, Maximum Lifetime for user ticket renewal, Maximum tolerance for computer clock sync)
I've defined these settings in a GPO, and assigned that GPO to the "Domain Controllers" OU. When I do a gpupdate/force and reboot, and then go to gpedit.msc and check, the settings are not applied. In fact, they say not applicable.
The only way I have found to have the settings applied is to open the MMC, add the Security Configuration and Analysis snapin, and then when I analyze the computer against the DC Security.inf file, the settings I mentioned above come back as Database Setting = Not Defined Computer Setting = Error Analyzing. Now I can open the settings, select "Define this policy in the database" then once I'm done "configure computer now" and it will apply the settings.
What I'm baffled on is shouldn't I be able to apply these settings via GPO vs manually "massaging" them? Am I completely missing something here?
-Richard
CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
Comments
-
Options
unnamedplayer
Member Posts: 74 ■■□□□□□□□□
I've defined these settings in a GPO, and assigned that GPO to the "Domain Controllers" OU.
I believe this is your problem. Kerberos policies, like password policies, are domain wide and must configured at the domain level.
Also something to look out for, the "Maximum tolerance for computer clock sync" setting is not persistent and will default back to 5 minutes after the computer is restarted. -
Options
rwmidl
Member Posts: 807 ■■■■■■□□□□
unnamedplayer wrote: »I believe this is your problem. Kerberos policies, like password policies, are domain wide and must configured at the domain level.
Also something to look out for, the "Maximum tolerance for computer clock sync" setting is not persistent and will default back to 5 minutes after the computer is restarted.
Hmm...I just tried linking at the domain level (along with the time server settings) and after restart it still says "not applicable".CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS -
Options
rsutton
Member Posts: 1,029 ■■■■■□□□□□
Have you checked that there are not conflicting policies in the local domain security policy? -
Optionsrwmidl
Member Posts: 807 ■■■■■■□□□□
Have you checked that there are not conflicting policies in the local domain security policy?
I ended up getting it to work (wasn't patient enough I guess)!CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS -
Optionshigherho
Member Posts: 882
I ended up getting it to work (wasn't patient enough I guess)!
Can you explain how you fixed it? I'm curious. -
Optionsrwmidl
Member Posts: 807 ■■■■■■□□□□
Can you explain how you fixed it? I'm curious.
Basically what I did was apply the GPO to the domain level instead of the OU (previously I had applied the settings to the DC ou and when I'd pipe out the results using gpresult it wouldn't show). Once I applied the GPO to the domain, linked but did not enforce (I didn't want the GPO to apply to some OU's so I'd block inheritance on those OU's), did a gpupdate /force and give it a bit, then on the target DC pipe out the results again I'd see the policy applied.CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
