Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 03:30 PM (PDT)
Microsoft Tech Community

Windows Server 2012 R2 GPM>windows setting> security setting >Account Policy missing

Copper Contributor

Hello,

Ive been trying to figure out this issue with my GPO's,

What I initially wanted to do was create a simple password policy. I go to the GPMC and edit the Default domain policy and open Computer configurations >windows setting> security setting >and Account Policy is missing.

However i can see the Default domain policy settings specifications with everything im looking to change under settings. I dont know what can be the issue if its appearing under the settings.GPMC ss.pngGPMC ss2.png

34 Replies

Your templates are out-of-date. If you have the PolicyDefinitions store (See https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central...) you should copy the latest admx/adml files there. Then you should see the Account Policies folder

@Harm_Veenstra 

Thank you Harm for your response, I did download the latest Policy definitions an placed them in the "policies" folder. but it doesnt create the central store. Im not sure what the case is for that

I have the paths

Window> Sysvol>sysvol>domainname>policies

Windows>Sysvol>Domain> Policies

and severhostname>Sysvol>twang>policies

@KrisC5 You should create the PolicyDefinitions folder inside the Policies folder, which would be c:\windows\sysvol\domainname\policies\policydefinitions. (The other paths should be the same content-wise ) Inside the policydefinitions folder, you copy all the admx files and the en-us folders (And other languages if needed) containing the adml files. This should look something like this : (Both from domain and local path, same folder)

 

Harm_Veenstra_0-1673374462780.png

 

 

If you reopen the Group Policy editor and edit the policy, you should see the Account Policies folder inside the GPO.

@Harm_Veenstra 

Yes thats the path i mentioned, they are in the policies folder, but still it is not creating a central store. i have the downloaded Policy definitions with all the language and ADMl/ADMX files still in that folder policy locations.jpg

Windows 2012 R2 server? Could you try using the Group Policy editor from a workstation? Did you log off and log in again? The central store is the PolicyDefinitions folder. You don't have to do anything else.

i am on a workstation and loging off and in again didnt do anything. Ive been dealing with this since the middle of december, and heard the same thing you mentioned.
I questioned if it was cause ours uses the path\\serverhostname\sysvol\domain instead of, \\Domainname\sysvol\domain which is how ive seen it. But the \\serverhostname shouldnt be the issue from what i learned.
Im not sure why it has all the setting and recognizes the variable like attempts, age, complexity, but account policies is still missing

I'm sorry, I didn't read it correctly. Although it's a good idea to have the central store in your Policies folder... You can only set the Password Policy setting at the Domain Level :) --> https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/accoun...

 

Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain


And you are editing that one... This is strange?! Is the GptTmp.inf missing? Do you see the file in this location?

Harm_Veenstra_0-1673384253404.png

 

 Should contain something like this:

[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 42
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
[Version]
signature="$CHICAGO$"
Revision=1

@Harm_Veenstra 

ok, so does the domain need to point to the server that is DC, because we currently dont.
I ask be cause this article states that serverhostname alone can be used to house the sysvol folder, wheather that be same case, in regards to creating a central store, i dont know. but id assume so.
https://www.minitool.com/lib/sysvol.html


An yes I can find that file, with all those fields .Also on a separate note, when on a local workstation, and going to the device "local Security setting" i can see Account policy there, but cant edit. unicode.png

All Domain Controllers have a locally replicated copy of the sysvol, which is reachable to clients using \\domain.name\sysvol\domain.name\. The files in c:\windows\sysvol\... should match that location. It should be in sync.
ok yes, that is my case, just with \\serverhostname rather than \\domainname is that the issue? They are replicating.
No, doesn't matter where you place files because it will sync to other domain controllers to their local c:\windows\sysvol and will be accessible for clients using \\domainname

You could try to reset the Default Domain Policy using Dcgpofix /target:domain (More information about that here https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dcgpofix)

Before running the command, please create a report from the current settings and backup the GPO using the Group Policy Management Console. You will have to reconfigure certain settings again!

@Harm_Veenstra 

no dice, it gave me an error parameter is incorrect. but distinguished what i wanted to do

parameter.png

There should be a space between Dcgpofix and /target:domain
haha I saw that immediately after sending, It ran the command. the default domain policy is still the same missing account policies and still retrieving from local computers
Ok... And what do you mean, you mention "still retrieving from local computers"?

Any how many Domain Controllers do you have? Does it show if you connect your Group Policy management console to another DC?

 

Could you try running regsvr32.exe c:\windows\system32\wsecedit.dll (https://learn.microsoft.com/en-US/troubleshoot/windows-server/group-policy/group-policy-areas-missin...)? Perhaps a reboot afterward is required.

I was informed that once those policy definition are place in the "policies" folder it will create a central store in which is will change to retrieving from central store. An we have just one "DC".

 

@Harm_Veenstra 

If you edit GPOs and the folder PolicyDefinitions is there, it will use the admx templates from there. If the folder is not there, it will use your local admx files on the system you are running Group Policy Management Console on.