Forum Discussion

KrisC5's avatar
KrisC5
Copper Contributor
Jan 09, 2023

Windows Server 2012 R2 GPM>windows setting> security setting >Account Policy missing

Hello, Ive been trying to figure out this issue with my GPO's, What I initially wanted to do was create a simple password policy. I go to the GPMC and edit the Default domain policy and open Comput...
security
Windows Server
KrisC5's avatar
KrisC5
Copper Contributor

Harm_Veenstra 

Yes thats the path i mentioned, they are in the policies folder, but still it is not creating a central store. i have the downloaded Policy definitions with all the language and ADMl/ADMX files still in that folder 

Harm_Veenstra's avatar
Harm_Veenstra
MVP
Jan 10, 2023

Windows 2012 R2 server? Could you try using the Group Policy editor from a workstation? Did you log off and log in again? The central store is the PolicyDefinitions folder. You don't have to do anything else.

  • KrisC5's avatar
    KrisC5
    Copper Contributor
    Jan 10, 2023
    i am on a workstation and loging off and in again didnt do anything. Ive been dealing with this since the middle of december, and heard the same thing you mentioned.
    I questioned if it was cause ours uses the path\\serverhostname\sysvol\domain instead of, \\Domainname\sysvol\domain which is how ive seen it. But the \\serverhostname shouldnt be the issue from what i learned.
    Im not sure why it has all the setting and recognizes the variable like attempts, age, complexity, but account policies is still missing
    • Harm_Veenstra's avatar
      Harm_Veenstra
      MVP
      Jan 10, 2023

      I'm sorry, I didn't read it correctly. Although it's a good idea to have the central store in your Policies folder... You can only set the Password Policy setting at the Domain Level 🙂 --> https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-policies

       

      Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain


      And you are editing that one... This is strange?! Is the GptTmp.inf missing? Do you see the file in this location?

       

       Should contain something like this:

      [Unicode]
      Unicode=yes
      [System Access]
      MinimumPasswordAge = 1
      MaximumPasswordAge = 42
      MinimumPasswordLength = 7
      PasswordComplexity = 1
      PasswordHistorySize = 24
      LockoutBadCount = 0
      RequireLogonToChangePassword = 0
      ForceLogoffWhenHourExpire = 0
      ClearTextPassword = 0
      LSAAnonymousNameLookup = 0
      [Kerberos Policy]
      MaxTicketAge = 10
      MaxRenewAge = 7
      MaxServiceAge = 600
      MaxClockSkew = 5
      TicketValidateClient = 1
      [Registry Values]
      MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
      [Version]
      signature="$CHICAGO$"
      Revision=1

      • KrisC5's avatar
        KrisC5
        Copper Contributor
        Jan 10, 2023

        Harm_Veenstra 

        ok, so does the domain need to point to the server that is DC, because we currently dont.
        I ask be cause this article states that serverhostname alone can be used to house the sysvol folder, wheather that be same case, in regards to creating a central store, i dont know. but id assume so.
        https://www.minitool.com/lib/sysvol.html


        An yes I can find that file, with all those fields .Also on a separate note, when on a local workstation, and going to the device "local Security setting" i can see Account policy there, but cant edit. 

Resources