Some security policies are displayed as "Not Defined" in the RSoP snap-in on a Windows Server 2003, 2008 or 2008 R2 based domain controller

View products that this article applies to.

Symptoms

On a Microsoft Windows Server 2003, 2008 or 2008R2 based domain controller, you use the Resultant Set of Policy (RSoP) Microsoft Management Console (MMC) snap-in. However, in the RSoP data that is returned, some security policies are reported as Not Defined. This behavior occurs even though these security policies are already defined.

The following policies are reported as Not Defined in the RSoP snap-in:

Policies in the Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy directory:
- Enforce password history
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements
- Store password using reversible encryption for all users in the domain
Policies in the Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy directory:
- Account lockout duration
- Account lockout threshold
- Reset account lockout counter after
Policy in the Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options directory:
- Network Security: Force logoff when logon hours expire

↑ Back to the top

Cause

This behavior occurs if the following conditions are true:

The domain controller in question is not the primary domain controller (PDC) emulator.
You use either the RSoP snap-in or the Group Policy Management Console (Gpmc.msc) on this domain controller.

↑ Back to the top

Workaround

To verify that the security policies are propagated to the remaining domain controllers, run the following command at a command prompt on any of the domain controllers that are not the PDC emulator:

net accounts /domain

↑ Back to the top