Introduction

When working with Active Directory (AD), administrators often modify policies through Group Policy Objects (GPOs). However, in some cases, attempting to change security policies results in the error:
“Windows cannot update the policies” or “Security template windows cannot update policy.”

This issue often arises when modifying the Account Lockout Threshold within the Default Domain Policy GPO.

Resolving Windows Cannot Update the Policies Error

The main cause of this error is that password policies in Active Directory can be set at two different levels:

  1. Domain-Level Password Policies
    • These are defined at the domain level and stored in the root attributes of Active Directory.
    • Retrieved using:
Get-ADDefaultDomainPasswordPolicy

Windows Active Directory Penetration Testing Study Notes

  • These settings are not linked to a specific Group Policy Object (GPO).

GPO-Based Password Policies

  • These are configured in Group Policy Objects (GPOs), such as the Default Domain Policy.
  • Stored in the SYSVOL\Policies directory.
  • Changes made here attempt to override domain-level policies, which may not always work.

GUID Not Found in SYSVOL

Many administrators experiencing this error look for the GUID of the policy in SYSVOL but cannot find it. This happens because:

  • The password policy settings are stored at the domain level, not in the Group Policy folder (SYSVOL).
  • GPO-based policies do not always override domain-level settings, leading to conflicts.

How to Fix the Error

1. Use PowerShell to Modify the Domain-Level Policy

Since Get-ADDefaultDomainPasswordPolicy retrieves the password policy from the domain root attributes, you must use PowerShell to modify these settings instead of GPO.

Run the following command to change the Account Lockout Threshold directly at the domain level:

Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -LockoutThreshold 5

Replace "yourdomain.com" with your actual domain name.

2. Verify the Policy Storage Location

To confirm whether the password policy is being applied at the domain level or through a GPO, run:

Get-ADDefaultDomainPasswordPolicy

If this command returns a result, it means the policy is being managed at the domain level, not through a GPO.

3. Check SYSVOL for GPO-Based Policies

If you still want to enforce a policy through a GPO, ensure that the policy is properly stored in SYSVOL:

  1. Navigate to \DOMAIN\SYSVOL\DOMAIN\Policies.
  2. Look for the corresponding GUID in the GPO editor.
  3. If the policy is missing, you may need to recreate it.

4. Use Fine-Grained Password Policies (FGPP)

Instead of modifying domain-level policies, consider using Fine-Grained Password Policies (FGPP), which allow multiple password policies per domain:

New-ADFineGrainedPasswordPolicy -Name "StrictPolicy" -Precedence 1 -LockoutThreshold 5

This allows more flexibility without modifying the default domain policy.

Conclusion

The error occurs because password policies are stored at the domain level and not necessarily within GPOs. Attempting to modify these settings via the GPO Editor often leads to conflicts. The best solution is to use PowerShell to modify domain-level settings or implement Fine-Grained Password Policies (FGPP) for more control.

By understanding where policies are stored and using the right tools, administrators can avoid policy update errors and maintain proper security configurations.

Summary:

  1. Domain-Level vs. GPO Policies: The Get-ADDefaultDomainPasswordPolicy cmdlet retrieves password policies set at the domain level, which are not associated with specific GPOs or their GUIDs.
  2. GUID Not Found in SYSVOL: The absence of the GUID (8670708b-d578-4ef6-9adf-53e96fdd8a43) in the SYSVOL\Policies directory indicates that the policy is defined at the domain level rather than within a GPO.
  3. Error Explanation: The “security template windows cannot update policy” error occurs because the modification is being attempted on a domain-level policy through the GPO editor, which is not the appropriate method.
  4. Recommended Approach: To modify domain-level password policies, use the Set-ADDefaultDomainPasswordPolicy cmdlet in PowerShell, which allows for direct editing of these settings.
  5. Understanding Policy Storage: Recognize that domain-level policies are stored in the domain’s root attributes, while GPOs and their settings are stored within the SYSVOL\Policies directory.
  6. Tool Consistency: Be aware that different tools may display policy settings differently based on where they retrieve their information, leading to potential discrepancies.
  7. Avoiding Errors: Ensure that you’re using the correct method and tools to modify policies based on their level (domain vs. GPO) to prevent errors like the one encountered.
  8. Policy Application: Understand the hierarchy and application of policies within Active Directory to manage and troubleshoot them effectively.
  9. Security Templates: Be cautious when working with security templates, as improper modifications can lead to errors in policy application.
  10. Further Reading: For more detailed information, refer to Microsoft’s official documentation on Active Directory password policies and the use of related PowerShell cmdlets.
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles