I can definitely confirm the behavior Joe describes. I posted a tale of woe about this a couple months back. In our case, AD was replicating between all sites quickly (due to site link notification being enabled on all site links), but FRS was replicating based on the default site link interval of 180 minutes. We never noticed an issue with this until we made a change to the account policy that affected a couple of the attributes listed by Joe. When we did, we saw the values 'ping-ponging' between old and new values on DCs all over the world til FRS caught up everywhere and all DCs settled on the new value.
Having these values replicate via both mechanisms seems to be a genuinely Bad Idea, but you typically don't see any issues of this sort as long as FRS is working perfectly and both AD and FRS replication are happening on roughly the same schedule. Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, November 18, 2004 8:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Info like number of bad passwords before lockout are maintained in the directory. In replicated attributes... Look at the following attribs on the Domain NC head and their matching systemFlags values... lockoutDuration lockoutObservationWindow lockoutThreshold maxPwdAge minPwdAge minPwdLength pwdHistoryLength pwdProperties I have seen the case MULTIPLE times where policies were not in sync across all DCs of a domain due to my favorite service - FRS - dorking up and the policy seesawing back and forth because DC 1 sets the policy to one value, that replicates to DC 2 which has the old policy and sees it and changes it back, that replicates back to DC 1 and it says that doesn't match its GPO so it changes it back. Back and forth back and forth. I have seen that both with domain security policies and I have seen it with restricted groups. I once had an issue where one DC was screwed for FRS and I was trying to back out a restricted policy for admins/domain admins. I had to keep watching a DC to see who the admins were to know when I could connect to it since in one policy I was the admin, in the other I wasn't and the AD replication was flip flopping the membership back and forth. I have discovered by accident sites that have had this problem when looking at replication metadata and seeing say the lockoutThreshold attribute having a version number in the tens of thousands. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, November 17, 2004 4:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Darren - if I understand Joe correctly, he doesn't mean that the policy values are replicated. It's the fact that DCs may have different thresholds for acct. lockout (due to the described setup) that the bad logon count which is passed on from one DC to another would trigger a lockout at a different threshold on the different DCs and you'd never be sure which would apply. However, I doubt we'd have replication back and forth: if a DC with a threshold of 10 passes on the bad logon attempt to the PDCE with a theshold of 5, the PDCE would pontentially set the user-account to locked while the other DC would still be fine with 5 more logon attempts. But if this change of the user-account is then replicated out to the other DC, I'm pretty sure that the DC set to 10 attempts doesn't then unlock the account (and causes further replication). So Joe, you may want to elaborate on that. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, November 17, 2004 6:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Joe- Are you sure data like that is stored in AD? I thought, actually, that security policy like this was still stored in the security hive of the registry (i.e. the SAM) for each machine and thus not replicated. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, November 16, 2004 10:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome This would be extremely unstable. Not only is the policy being changed by the GPO replicated through FRS, it is also being changed by the values replicating around for the Domain NC head though AD replication. I.E. The machine that got say a value of 10 for bad hits for lockout would replicate to the machine that had a value of say 5. Then the second would be changed back by policy and try to replicate to the first and back and forth. What I am trying to say is instead of having one policy on one machine and another on another machine, you would have no idea at any given point what the policy was because it would be constantly changing on all DCs as they duked it out. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 3:01 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Rick, That's correct. In fact we once tried having two policies at the domain level with different values for the password length. We then changed filtering so that one Domain controller got one policy and an other Domain controller got a different policy. We then tested how each behaved when processing password changes and each was using the different values. A cute setup, but of no practical use that I can think of. Alan Cuthbertson ----- Original Message ----- From: "Kingslan, Rick T." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 17, 2004 3:17 AM Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome > Only Password Policies created at the domain level are effective for > domain users, but they don't have to be in the default domain policy > object. Can you elaborate on this? I've only had one coffee this morning, and I don't think I follow what you're saying.... Are you saying that a GPO identified by a GUID other than the Default Domain Policy can apply Paasword, Kerb, Lockout, etc? Rick > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of ASB > Sent: Tuesday, November 16, 2004 7:44 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] How to Enable a Warning Message During Windows > Logon Welcome > > > The Default Domain Policy is the *only* affective policy for those > settings. > > That's not an accurate statement... > > Only Password Policies created at the domain level are effective for > domain users, but they don't have to be in the default domain policy > object. > > -ASB > > > On Sun, 7 Nov 2004 12:58:57 -0600, Brian Desmond > <[EMAIL PROTECTED]> wrote: > > The Default Domain Policy is the *only* affective policy for those > settings. > > > > > > > > Thanks. > > > > --Brian Desmond > > [EMAIL PROTECTED] > > Payton on the web! www.wpcp.org > > > > v - 773.534.0034 x135 > > f - 773.534.8101 > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:ActiveDir- > > > [EMAIL PROTECTED] On Behalf Of ASB > > > Sent: Sunday, November 07, 2004 11:32 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [ActiveDir] How to Enable a Warning Message During > Windows > > > Logon Welcome > > > > > > You would seem to be suggesting that multiple policies cannot be > > > applied... > > > > > > -ASB > > > > > > On Fri, 5 Nov 2004 21:19:38 -0600, Brian Desmond > > > <[EMAIL PROTECTED]> wrote: > > > > Oh? How do you go about setting password policies, lockout policies, > > > kerb policies, etc with this practice? > > > > > > > > Thanks. > > > > > > > > --Brian Desmond > > > > [EMAIL PROTECTED] > > > > Payton on the web! www.wpcp.org > > > > > > > > v - 773.534.0034 x135 > > > > f - 773.534.8101 > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] [mailto:ActiveDir- > > > > > [EMAIL PROTECTED] On Behalf Of Jared Manhat > > > > > Sent: Friday, November 05, 2004 3:07 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: RE: [ActiveDir] How to Enable a Warning Message During > > > Windows > > > > > Logon Welcome > > > > > > > > > > You should never modify the Default Domain Policy, instead create > a > > > new > > > > > one. > > > > > > > > > > Jared Manhat > > > > > Systems Administrator > > > > > Accutest Laboratories > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega > > > > > Sent: Friday, November 05, 2004 11:01 AM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: RE: [ActiveDir] How to Enable a Warning Message During > > > Windows > > > > > Logon Welcome > > > > > > > > > > Try under: > > > > > Default Domain Policy ->Computer Configuration ->Windows Settings > > > > > ->Security > > > > > Settings ->Local Policies ->Security Options ->Message Title for > users > > > > > attempting to logon > > > > > r/ > > > > > Lou > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Christine > > > Allen > > > > > Sent: Friday, November 05, 2004 10:52 AM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: [ActiveDir] How to Enable a Warning Message During > Windows > > > > > Logon > > > > > Welcome > > > > > > > > > > Hello, > > > > > > > > > > Running windows 2k ad and I was wondering if there is a way via > group > > > > > policy > > > > > to Enable a Warning Message During Windows Logon Welcome. I know > > > there > > > > > is a > > > > > reg hack for it, but I won't want to touch 300 desktops. Thanks. > > > > > > > > > > Christine > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
