Jan 09 2023 02:19 PM
Hello,
Ive been trying to figure out this issue with my GPO's,
What I initially wanted to do was create a simple password policy. I go to the GPMC and edit the Default domain policy and open Computer configurations >windows setting> security setting >and Account Policy is missing.
However i can see the Default domain policy settings specifications with everything im looking to change under settings. I dont know what can be the issue if its appearing under the settings.
Jan 10 2023 07:49 AM - edited Jan 10 2023 07:49 AM
Your templates are out-of-date. If you have the PolicyDefinitions store (See https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/create-and-manage-central...) you should copy the latest admx/adml files there. Then you should see the Account Policies folder
Jan 10 2023 09:54 AM - edited Jan 10 2023 09:55 AM
Thank you Harm for your response, I did download the latest Policy definitions an placed them in the "policies" folder. but it doesnt create the central store. Im not sure what the case is for that
I have the paths
Window> Sysvol>sysvol>domainname>policies
Windows>Sysvol>Domain> Policies
and severhostname>Sysvol>twang>policies
Jan 10 2023 10:14 AM
@KrisC5 You should create the PolicyDefinitions folder inside the Policies folder, which would be c:\windows\sysvol\domainname\policies\policydefinitions. (The other paths should be the same content-wise ) Inside the policydefinitions folder, you copy all the admx files and the en-us folders (And other languages if needed) containing the adml files. This should look something like this : (Both from domain and local path, same folder)
If you reopen the Group Policy editor and edit the policy, you should see the Account Policies folder inside the GPO.
Jan 10 2023 10:49 AM
Yes thats the path i mentioned, they are in the policies folder, but still it is not creating a central store. i have the downloaded Policy definitions with all the language and ADMl/ADMX files still in that folder
Jan 10 2023 11:15 AM - edited Jan 10 2023 11:23 AM
Windows 2012 R2 server? Could you try using the Group Policy editor from a workstation? Did you log off and log in again? The central store is the PolicyDefinitions folder. You don't have to do anything else.
Jan 10 2023 12:26 PM
Jan 10 2023 12:39 PM - edited Jan 10 2023 12:58 PM
I'm sorry, I didn't read it correctly. Although it's a good idea to have the central store in your Policies folder... You can only set the Password Policy setting at the Domain Level 🙂 --> https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/accoun...
Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain
And you are editing that one... This is strange?! Is the GptTmp.inf missing? Do you see the file in this location?
Should contain something like this:
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 42
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
[Version]
signature="$CHICAGO$"
Revision=1
Jan 10 2023 01:29 PM - edited Jan 10 2023 01:35 PM
ok, so does the domain need to point to the server that is DC, because we currently dont.
I ask be cause this article states that serverhostname alone can be used to house the sysvol folder, wheather that be same case, in regards to creating a central store, i dont know. but id assume so.
https://www.minitool.com/lib/sysvol.html
An yes I can find that file, with all those fields .Also on a separate note, when on a local workstation, and going to the device "local Security setting" i can see Account policy there, but cant edit.
Jan 10 2023 01:36 PM
Jan 10 2023 01:39 PM
Jan 10 2023 01:43 PM
Jan 10 2023 02:03 PM
no dice, it gave me an error parameter is incorrect. but distinguished what i wanted to do
Jan 10 2023 02:09 PM
Jan 10 2023 02:16 PM
Jan 10 2023 02:20 PM
Jan 10 2023 02:29 PM - edited Jan 10 2023 02:35 PM
Any how many Domain Controllers do you have? Does it show if you connect your Group Policy management console to another DC?
Could you try running regsvr32.exe c:\windows\system32\wsecedit.dll (https://learn.microsoft.com/en-US/troubleshoot/windows-server/group-policy/group-policy-areas-missin...)? Perhaps a reboot afterward is required.
Jan 10 2023 02:33 PM
I was informed that once those policy definition are place in the "policies" folder it will create a central store in which is will change to retrieving from central store. An we have just one "DC".
Jan 10 2023 02:38 PM
Jan 11 2023 06:15 AM
Ran the Regsvr and got this error @Harm_Veenstra