Problems applying settings in GPO to DC

I'm doing some testing on some GPO's and I'm seeing a repeatable issue, and I'm curious if anyone has seen this/has any ideas on how to resolve.

I'm trying to assign the following settings via GPO to a 2003 DC:

Local Computer Config\Computer Config\Security Settings\Account Policies\Kerberos Policies (Enforce user logon restrictions, Maximum Lifetime for service ticket, Maximum Lifetime for user ticket, Maximum Lifetime for user ticket renewal, Maximum tolerance for computer clock sync)

I've defined these settings in a GPO, and assigned that GPO to the "Domain Controllers" OU. When I do a gpupdate/force and reboot, and then go to gpedit.msc and check, the settings are not applied. In fact, they say not applicable.

The only way I have found to have the settings applied is to open the MMC, add the Security Configuration and Analysis snapin, and then when I analyze the computer against the DC Security.inf file, the settings I mentioned above come back as Database Setting = Not Defined Computer Setting = Error Analyzing. Now I can open the settings, select "Define this policy in the database" then once I'm done "configure computer now" and it will apply the settings.

What I'm baffled on is shouldn't I be able to apply these settings via GPO vs manually "massaging" them? Am I completely missing something here?

-Richard

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

unnamedplayer

rwmidl wrote: »

I've defined these settings in a GPO, and assigned that GPO to the "Domain Controllers" OU.

I believe this is your problem. Kerberos policies, like password policies, are domain wide and must configured at the domain level.

Also something to look out for, the "Maximum tolerance for computer clock sync" setting is not persistent and will default back to 5 minutes after the computer is restarted.

rwmidl

unnamedplayer wrote: »

I believe this is your problem. Kerberos policies, like password policies, are domain wide and must configured at the domain level.

Also something to look out for, the "Maximum tolerance for computer clock sync" setting is not persistent and will default back to 5 minutes after the computer is restarted.

Hmm...I just tried linking at the domain level (along with the time server settings) and after restart it still says "not applicable".

rsutton

Have you checked that there are not conflicting policies in the local domain security policy?

rwmidl

rsutton wrote: »

Have you checked that there are not conflicting policies in the local domain security policy?

I ended up getting it to work (wasn't patient enough I guess)!

rsutton

Glad you got it working!

higherho

rwmidl wrote: »

I ended up getting it to work (wasn't patient enough I guess)!

Can you explain how you fixed it? I'm curious.

rwmidl

higherho wrote: »

Can you explain how you fixed it? I'm curious.

Basically what I did was apply the GPO to the domain level instead of the OU (previously I had applied the settings to the DC ou and when I'd pipe out the results using gpresult it wouldn't show). Once I applied the GPO to the domain, linked but did not enforce (I didn't want the GPO to apply to some OU's so I'd block inheritance on those OU's), did a gpupdate /force and give it a bit, then on the target DC pipe out the results again I'd see the policy applied.