Forum Discussion

--BF--'s avatar
--BF--
Copper Contributor
Aug 30, 2024

Frequent Event Log errors related to GPO

We currently have 3 different versions of Server in our environment.

2016

2019

2022

 

All the 2016's and 2019's have multiple Application event log errors with the following:

"Security policies were propagated with warning. 0x57 : The parameter is incorrect."

 

When I launch RSOP.MSC on the system with the error, I can see that there is a warning under “Computer Configuration”.  Going into the properties it tells me that the Warning is within the Security Settings.  Drilling down into Security Settings, I can see that the Password Policy has some issues.  The 2022's don't have this issue.  All systems use the same "Default Domain Policy"

 

When I enable winlogon.log via the registry settings, I can see it's logging an error but it's not really giving me a clear indication what the actual problem is.

 

Any advice how to proceed next would be greatly appreciated.

Thanks!

1 Reply

  • nvestigate the Password Policy Issue in GPO

    Since you’ve identified that the problem is related to the Password Policy in the Security Settings of the Default Domain Policy, we’ll need to investigate the specific settings causing the issue.

    • Open Group Policy Management Console (GPMC) on a domain controller.
    • Navigate to the Default Domain Policy GPO (or any other relevant GPO applied to the systems).
    • Right-click the GPO and click Edit.
    • Go to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount PoliciesPassword Policy.

    Look for any unusual or inconsistent configurations (for example, password length, complexity, or history settings) that may be different from the defaults or causing issues.

    Things to check:

    • Ensure Password Complexity and Minimum Password Length settings are correct.
    • Make sure Enforce password history and Maximum password age are within supported ranges.
    • Check if there's any conflict or conflicting policy set by another GPO.

    2. Check for GPO Corruption

    If there's a configuration mismatch or corruption within the GPO, it could be causing the 0x57 error. Try the following:

    • Force a Group Policy Update on the affected servers:
    • gpupdate/force
    • Check the Resultant Set of Policy (RSOP) for any conflicting settings:
      • Open RSOP.msc on the server that is generating the warning.
      • Drill down to Computer ConfigurationSecurity SettingsAccount PoliciesPassword Policy.
      • Look for any discrepancies or warnings that are being propagated from multiple GPOs.
    • If any issues appear here, you might want to consider resetting the GPO (or portions of it) and reapplying it to ensure it's not corrupted. You can try backing up and recreating the problematic GPO or repairing it with a Group Policy Restore.
    • Check for Conflicting Group Policy Objects

      Conflicting GPOs could lead to unexpected behavior in how settings are applied. Verify that no other GPOs are overwriting or conflicting with the Default Domain Policy.

      • In Group Policy Management, check for Overlapping GPOs applied at the domain or organizational unit (OU) level that could be affecting the servers in question.
      • Review Group Policy inheritance to ensure the settings you expect are being correctly applied.

      4. Review Local Security Policy

      In some cases, local security policies can override domain-level settings, potentially leading to mismatches.

      • On the affected servers, run secpol.msc and navigate to Account PoliciesPassword Policy.
      • Compare these settings with those in the Group Policy to see if they match.

      If there are local overrides, ensure that they align with the domain policy.

      5. Check for Permissions or Replication Issues

      • Sometimes GPO errors can be caused by replication issues between domain controllers.
        • Check the event logs for any replication-related issues (for example, Event ID 135 or Event ID 129 in the Directory Service log).
        • Run repadmin /syncall to force a replication check between all domain controllers.
      • Permissions on the GPO might be incorrect, preventing proper application of policies. Ensure that the Default Domain Policy has the proper permissions set for the required users and groups to apply the policy.

      6. Review the Winlogon Log for More Details

      You mentioned enabling winlogon.log via the registry, but it isn't providing clear information. You might want to enable additional logging to gain more insight into the issue. You can enable verbose logging for Group Policy and Security Settings by editing the Group Policy Event Logging settings.

      • Enable detailed logging for Group Policy via the registry:
        • Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
        • Key: GroupPolicyLogging
        • Value: 1
        • This will log more verbose details about Group Policy processing.
      • Event IDs to Look For:
        • Event ID 1091: This indicates Group Policy has successfully applied.
        • Event ID 1006: Indicates problems processing the security policies.
      • Testing with a New GPO

        If the above steps don’t resolve the issue, try the following:

        • Create a new GPO specifically for the Password Policy and apply it only to one of the affected servers. This will help isolate whether the issue is related to the Default Domain Policy.
        • Monitor if the error persists after applying the new GPO.

        8. Compare Versions of Group Policy in Windows Server 2022

        Since the 2022 servers don’t exhibit this issue, check the Group Policy Settings in 2022 and compare them with the settings in the older servers. There could be compatibility or feature differences that are impacting how the policies are processed.

        Conclusion:

        • The error seems to be related to an issue with the Password Policy in the Security Settings of your Default Domain Policy.
        • Follow the steps outlined above to check for misconfigurations or conflicts in your GPOs, and clear up any discrepancies between domain-level and local security settings.
        • Ensure the GPO isn't corrupted, and test with a new GPO to see if the issue persists.

Resources