Microsoft KB Archive/927908

= Some security policies are displayed as &quot;Not Defined&quot; in the RSoP snap-in on a Windows Server 2003-based domain controller =

Article ID: 927908

Article Last Modified on 11/14/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

-



SYMPTOMS
On a Microsoft Windows Server 2003-based domain controller, you use the Resultant Set of Policy (RSoP) Microsoft Management Console (MMC) snap-in. However, in the RSoP data that is returned, some security policies are reported as Not Defined. This behavior occurs even though these security policies are already defined.

The following policies are reported as Not Defined in the RSoP snap-in:
 * Policies in the Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy directory:
 * Enforce password history
 * Maximum password age
 * Minimum password age
 * Minimum password length
 * Password must meet complexity requirements
 * Store password using reversible encryption for all users in the domain
 * Policies in the Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy directory:
 * Account lockout duration
 * Account lockout threshold
 * Reset account lockout counter after
 * Policy in the Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options directory:
 * Network Security: Force logoff when logon hours expire



CAUSE
This behavior occurs if the following conditions are true:
 * The domain controller in question is not the primary domain controller (PDC) emulator.
 * You use either the RSoP snap-in or the Group Policy Management Console (Gpmc.msc) on this domain controller.



WORKAROUND
To verify that the security policies are propagated to the remaining domain controllers, run the following command at a command prompt on any of the domain controllers that are not the PDC emulator:

net accounts /domain



MORE INFORMATION
To determine the PDC emulator of the domain, run the following command at the command prompt on any computer in the domain:

netdom query fsmo



STATUS
This behavior is by design.

Keywords: kbexpertiseinter kbtshoot kbprb KB927908

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.