Account Policy templates are applied incorrectly

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

An administrator applies a security template that sets the account policies to something the administrator does not want to use, such as settings that cause users to change their password when the administrators do not want them to. Setting the Account Policies to Not Defined does not resolve the problem.

Cause

Incorrectly applied Account Policy settings. In this case, the administrator applied a security template that had unintended effects.

Solution

To resolve misapplied templates issues, do the following:

1. Re-apply the default settings for Account Policies. The default settings in the Default Domain Policy GPO for a clean installation of Windows Server 2003 are located in %windir%\inf\dcfirst.inf. The Dcfirst.inf security template is the template that is used to populate the security settings in the Default Domain Policy GPO when the first domain controller is installed in the domain. Importing this template into the Default Domain Policy (and checking the Clear this database before importing option) restores the security settings back to a clean install state.

   The same information applies to the Defdcgpo.inf security template which contains the default security settings in the Default Domain Controller Policy GPO (for a clean installation of Windows Server 2003). Defdcgpo.inf is located in %windir%\inf\.

   Note

   For domain accounts, the account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. If more than one GPO containing account policy settings is linked at the domain level, the domain's account policy consists of the cumulative policy settings from all the domain-linked GPOs. A domain controller always obtains the account policy from a GPO linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the OU that contains the domain controller. By default, workstations and servers joined to a domain (such as member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be differentiated from the domain account policy by defining an account policy for the OU that contains the member computers. Modifying the Default Domain Policy is not recommended. If you need to set some account policy that differs from that in the Default Domain Policy GPO, you can create a new GPO and link to the root of domain, set the policy you want to use, and assign it higher precedence than Default Domain Policy GPO.

2. Wait for replication changes to propagate to the domain controller.

3. Verify that the policy applied to the clients.

To reapply default security settings using the Windows interface

1. Click Start, click Run, type mmc, and then click OK.

2. Do one of the following:

   • To create a new console, on the File menu, click New.

   • To open an existing console, on the File menu, click Open, click the console that you want to open, and then click Open.

3. On the File menu, click Add/Remove Snap-in, and then, in Add/Remove Snap-in, click Add.

4. Click Security Configuration and Analysis, click Add, click Close, and then click OK.

5. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.

6. In File name, type the file name, and then click Open.

7. Do one of the following:

   • For a domain controller, in the console tree, right-click Security Configuration and Analysis, click Import Template, click Look in in the Import Template dialog box, and then select dcfirst.inf in the %windir%\inf folder.

   • For other computers, in the console tree, right-click Security Configuration and Analysis, click Import Template, and then click Setup security.

8. Select the Clear this database before importing check box, and then click Open.

9. In the console tree, right-click Security Configuration and Analysis, and then click Configure Computer Now.

10. Do one of the following:

    • To use the default log specified in Error log file path, click OK.

    • To specify a different log, in Error log file path, type a valid path and file name, and then click OK.

11. When the configuration is done, right-click Security Configuration and Analysis, and then click View Log File.

To open Security Configuration and Analysis

1. Click Start, click Run, type mmc, and then click OK.

2. Do one of the following:

   • To create a new console, on the File menu, click New.

   • To open an existing console, on the File menu, click Open, click the console that you want to open, and then click Open.

3. On the File menu, click Add/Remove Snap-in, and then, in Add/Remove Snap-in, click Add.

4. Click Security Configuration and Analysis, click Add, click Close, and then click OK.

The default path for the log file is: systemroot\Documents and Settings\UserAccount\My Documents\Security\Logs\.

When you reapply default security settings, all settings that are defined in Setup security.inf are set as the template specifies, but other settings that are not defined in the template may persist.

To reapply default security settings using a command line

1. Click Start, point to All Programs, point to Accessories, and then click Command Prompt.

2. For a server or workstation, type:

   secedit /configure /DB FileName /CFG "%windir%\Security\Templates\Setup security.inf" [/overwrite][/areas Area1Area2**...] [/log** LogPath**] [/quiet]**

3. For a domain controller, type:

   secedit /configure /DB FileName**/CFG "%windir%\inf\dcfirst.inf" [/overwrite][/areas** Area1Area2**...] [/log** LogPath**] [/quiet]**

The following table describes the Secedit arguments used in the procedure.

To view the complete syntax for the secedit command

• At a command prompt, type: secedit /?