Some security policies are displayed as "Not Defined" in the RSoP snap-in on a Windows Server 2003, 2008 or 2008 R2 based domain controller

Applies to: Microsoft Windows Server 2003 Standard Edition (32-bit x86)Microsoft Windows Server 2003 Enterprise Edition (32-bit x86)Microsoft Windows Server 2003 Web Edition

Symptoms


On a Microsoft Windows Server 2003, 2008 or 2008R2 based domain controller, you use the Resultant Set of Policy (RSoP) Microsoft Management Console (MMC) snap-in. However, in the RSoP data that is returned, some security policies are reported as Not Defined. This behavior occurs even though these security policies are already defined.


The following policies are reported as Not Defined in the RSoP snap-in:
  • Policies in the Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy directory:
    • Enforce password history
    • Maximum password age
    • Minimum password age
    • Minimum password length
    • Password must meet complexity requirements
    • Store password using reversible encryption for all users in the domain
  • Policies in the Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy directory:
    • Account lockout duration
    • Account lockout threshold
    • Reset account lockout counter after
  • Policy in the Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options directory:
    • Network Security: Force logoff when logon hours expire

Cause


This behavior occurs if the following conditions are true:
  • The domain controller in question is not the primary domain controller (PDC) emulator.
  • You use either the RSoP snap-in or the Group Policy Management Console (Gpmc.msc) on this domain controller.

Workaround


To verify that the security policies are propagated to the remaining domain controllers, run the following command at a command prompt on any of the domain controllers that are not the PDC emulator:
net accounts /domain

More Information


To determine the PDC emulator of the domain, run the following command at the command prompt on any computer in the domain:
netdom query fsmo

Status


This behavior is by design.