Frequent Event Log errors related to GPO

Question

We currently have 3 different versions of Server in our environment.

2016

2019

2022

All the 2016's and 2019's have multiple Application event log errors with the following:

"Security policies were propagated with warning. 0x57 : The parameter is incorrect."

When I launch RSOP.MSC on the system with the error, I can see that there is a warning under “Computer Configuration”.  Going into the properties it tells me that the Warning is within the Security Settings.  Drilling down into Security Settings, I can see that the Password Policy has some issues.  The 2022's don't have this issue.  All systems use the same "Default Domain Policy"


When I enable winlogon.log via the registry settings, I can see it's logging an error but it's not really giving me a clear indication what the actual problem is.

Any advice how to proceed next would be greatly appreciated.

Thanks!

Answer 1

Hi Brendan_007,

Thank you for posting in the Microsoft Community Forums.

1. Verify Group Policy settings

First, make sure that Default Domain Policy is correctly applied to all servers. You can use the following command to view the Group Policy Result Set (RSOP):

bash

gpresult /h C:\gpresult.html

This will generate an HTML file under the specified path, which you can open in your browser to view the detailed Group Policy settings and applications.

2. Check the specific settings of the password policy

Since the problem points to the password policy, you should check the following points:

Ensure that the password policy settings are consistent across all servers and meet your security requirements.

Check if any other Group Policy Objects (GPOs) override the default password policy settings.

Check to see if any custom GPOs have been incorrectly linked to OUs (organizational units) or sites, which could lead to policy conflicts.

3. Check Group Policy Inheritance and Linking

Use the Group Policy Management Tool (GPMC) to check the linking and inheritance settings for group policies.

Ensure that no unnecessary GPOs are linked to OUs that contain these servers, especially those that may contain conflicting settings.

4. Review event logs

Carefully review the system logs and security logs for any other errors or warnings related to password policies or group policies.

Pay particular attention to any errors related to LDAP (Lightweight Directory Access Protocol), as password policies are often stored in Active Directory.

5. Registry and Winlogon Logs

If winlogon.log does not provide enough information, you may consider increasing the level of detail in the log or looking at other relevant registry entries. Note, however, that direct modification of the registry can be risky, so make sure you know what you're doing or back up the registry before making changes.

Another possible tool is Process Monitor (from the Sysinternals suite), which captures all registry accesses and system calls related to winlogon.

6 Upgrading or patching the server

If possible, consider updating Windows Server 2016 and 2019 systems to the latest patch level. This can address known security and compatibility issues.

Best regards

Neuvi

Answer 2

First, make sure that Default Domain Policy is correctly applied to all servers. You can use the following command to view the Group Policy Result Set (RSOP):

As stated in my initial posting, I have already verified that the GPO is applied to the servers I checked. "All systems use the same Default Domain Policy"

2. Check the specific settings of the password policy

Since the problem points to the password policy, you should check the following points:

Ensure that the password policy settings are consistent across all servers and meet your security requirements.

Again as stated before (not sure why I have to repeat myself), it's all across the same. I have posted a pic showing one difference that's on the 2022 with red arrows and question marks.

Check if any other Group Policy Objects (GPOs) override the default password policy settings.

There is no override. They all use the same GPO called "Default Domain Policy"

Check to see if any custom GPOs have been incorrectly linked to OUs (organizational units) or sites, which could lead to policy conflicts.

There is no conflict that I can see

3. Check Group Policy Inheritance and Linking

Use the Group Policy Management Tool (GPMC) to check the linking and inheritance settings for group policies.

Ensure that no unnecessary GPOs are linked to OUs that contain these servers, especially those that may contain conflicting settings.

This seems like a very generic request. Please be more specific.

4. Review event logs

Carefully review the system logs and security logs for any other errors or warnings related to password policies or group policies.

Pay particular attention to any errors related to LDAP (Lightweight Directory Access Protocol), as password policies are often stored in Active Directory.

Again, see my original post about the event logs

5. Registry and Winlogon Logs

If winlogon.log does not provide enough information, you may consider increasing the level of detail in the log or looking at other relevant registry entries. Note, however, that direct modification of the registry can be risky, so make sure you know what you're doing or back up the registry before making changes.

Another possible tool is Process Monitor (from the Sysinternals suite), which captures all registry accesses and system calls related to winlogon.

Again, see my original post releted to winlogon logs (was my original post obscured somehow??)

6 Upgrading or patching the server

If possible, consider updating Windows Server 2016 and 2019 systems to the latest patch level. This can address known security and compatibility issues.

We regular update and patch as they come through

Question, are you able to understand this?