Forum Discussion
Windows Server 2012 R2 GPM>windows setting> security setting >Account Policy missing
I questioned if it was cause ours uses the path\\serverhostname\sysvol\domain instead of, \\Domainname\sysvol\domain which is how ive seen it. But the \\serverhostname shouldnt be the issue from what i learned.
Im not sure why it has all the setting and recognizes the variable like attempts, age, complexity, but account policies is still missing
I'm sorry, I didn't read it correctly. Although it's a good idea to have the central store in your Policies folder... You can only set the Password Policy setting at the Domain Level 🙂 --> https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-policies
Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain
And you are editing that one... This is strange?! Is the GptTmp.inf missing? Do you see the file in this location?
Should contain something like this:
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 42
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
[Version]
signature="$CHICAGO$"
Revision=1
- Still an issue,
I have since put it to the back of my plans. But still something i need to get figured out Any update for us?
- I'm from a Dutch company, but you can also report a ticket at a Microsoft partner if you have one nearby?
- Not a problem, would you happen to have a local support agent. Or someone affiliated that we can have come in office an take a look in person.
- I'm out of ideas here myself too at the moment...
- negative, didnt work
- Creating a new GPO at Domain root level, does that give you the password policies folder in that?
- ok yea we have,that service disabled. What would you suggest regarding something like this. I was hoping it would be something fairly simple, like an oversight that I wasnt aware of, but it seems we've tried most most solution.
- It depends... On older versions of Windows Server, it's File Replication Service as default (Switch to DFS how-to here https://www.mcs.support/guide-to-migrate-frs-to-dfsr-using-dfsrmig/ ) WINS is not needed anymore unless you have a very specific reason 🙂
- Ah, ok i see.
I dont understand how policy is being read.
But as far as making changes to the policy; and for it to retain those changes for user, is not.
aswell as the Account policy tab is missing from the security settings .
hmm what do you think about DFS and WINS services stopped, I just came across that. Id assume distributed file system would have a hand in dealing with the sysvol folder? im not sure about WINS service.
