Some security policies are displayed as "Not Defined" in the RSoP snap-in on a Windows Server 2003-based domain controller

On a Microsoft Windows Server 2003-based domain controller, you use the Resultant Set of Policy (RSoP) Microsoft Management Console (MMC) snap-in. However, in the RSoP data that is returned, some security policies are reported as Not Defined. This behavior occurs even though these security policies are already defined.

The following policies are reported as Not Defined in the RSoP snap-in:

• Policies in the Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy directory:
  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
  • Store password using reversible encryption for all users in the domain
• Policies in the Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy directory:
  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after
• Policy in the Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options directory:
  • Network Security: Force logoff when logon hours expire

This behavior occurs if the following conditions are true:

• The domain controller in question is not the primary domain controller (PDC) emulator.
• You use either the RSoP snap-in or the Group Policy Management Console (Gpmc.msc) on this domain controller.

To verify that the security policies are propagated to the remaining domain controllers, run the following command at a command prompt on any of the domain controllers that are not the PDC emulator:

To determine the PDC emulator of the domain, run the following command at the command prompt on any computer in the domain:

This behavior is by design.