Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Some security policies are displayed as "Not Defined" in the RSoP snap-in on a Windows Server 2003, 2008 or 2008 R2 based domain controller

View products that this article applies to.


On a Microsoft Windows Server 2003, 2008 or 2008R2 based domain controller, you use the Resultant Set of Policy (RSoP) Microsoft Management Console (MMC) snap-in. However, in the RSoP data that is returned, some security policies are reported as Not Defined. This behavior occurs even though these security policies are already defined.

The following policies are reported as Not Defined in the RSoP snap-in:
  • Policies in the Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy directory:
    • Enforce password history
    • Maximum password age
    • Minimum password age
    • Minimum password length
    • Password must meet complexity requirements
    • Store password using reversible encryption for all users in the domain
  • Policies in the Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy directory:
    • Account lockout duration
    • Account lockout threshold
    • Reset account lockout counter after
  • Policy in the Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options directory:
    • Network Security: Force logoff when logon hours expire

↑ Back to the top


This behavior occurs if the following conditions are true:
  • The domain controller in question is not the primary domain controller (PDC) emulator.
  • You use either the RSoP snap-in or the Group Policy Management Console (Gpmc.msc) on this domain controller.

↑ Back to the top


To verify that the security policies are propagated to the remaining domain controllers, run the following command at a command prompt on any of the domain controllers that are not the PDC emulator:
net accounts /domain

↑ Back to the top

More Information

To determine the PDC emulator of the domain, run the following command at the command prompt on any computer in the domain:
netdom query fsmo

↑ Back to the top


This behavior is by design.

↑ Back to the top

Keywords: kb, kbexpertiseinter, kbtshoot, kbprb

↑ Back to the top

Article Info
Article ID : 927908
Revision : 1
Created on : 1/7/2017
Published on : 9/12/2013
Exists online : False
Views : 549