I have two Domain Controllers Main ( Main DC ) and Second DC.

the date of some policies is not out of date....

please check these files to know the problem.

dcdiag.txt output:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine ASMDC, is a Directory Server.
   Home Server = ASMDC

   * Connecting to directory service on server ASMDC.

   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=buc,DC=edu,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=buc,DC=edu,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 2 DC(s). Testing 2 of them.

   Done gathering initial info.


Doing initial required tests


   Testing server: Default-First-Site-Name\ASMDC

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         Determining IP6 connectivity
         * Active Directory RPC Services Check
         ......................... ASMDC passed test Connectivity


   Testing server: Default-First-Site-Name\BSMDC

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         Determining IP6 connectivity
         * Active Directory RPC Services Check
         ......................... BSMDC passed test Connectivity



Doing primary tests


   Testing server: Default-First-Site-Name\ASMDC

      Starting test: Advertising

         The DC ASMDC is advertising itself as a DC and having a DS.
         The DC ASMDC is advertising as an LDAP server
         The DC ASMDC is advertising as having a writeable directory
         The DC ASMDC is advertising as a Key Distribution Center
         The DC ASMDC is advertising as a time server
         The DS ASMDC is advertising as a GC.
         ......................... ASMDC passed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test
         ......................... ASMDC passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log.
         ......................... ASMDC passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... ASMDC passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... ASMDC passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
         Role Domain Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
         Role PDC Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
         Role Rid Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
         ......................... ASMDC passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC ASMDC on DC ASMDC.
         * SPN found :LDAP/ASMDC.buc.edu/buc.edu
         * SPN found :LDAP/ASMDC.buc.edu
         * SPN found :LDAP/ASMDC
         * SPN found :LDAP/ASMDC.buc.edu/BUC
         * SPN found :LDAP/5e88f85b-15a6-4ff5-b0fd-6df748df06fd._msdcs.buc.edu
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e88f85b-15a6-4ff5-b0fd-6df748df06fd/buc.edu
         * SPN found :HOST/ASMDC.buc.edu/buc.edu
         * SPN found :HOST/ASMDC.buc.edu
         * SPN found :HOST/ASMDC
         * SPN found :HOST/ASMDC.buc.edu/BUC
         * SPN found :GC/ASMDC.buc.edu/buc.edu
         ......................... ASMDC passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC ASMDC.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=buc,DC=edu
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=DomainDnsZones,DC=buc,DC=edu
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=buc,DC=edu
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=buc,DC=edu
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=buc,DC=edu
            (Domain,Version 3)
         ......................... ASMDC passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\ASMDC\netlogon
         Verified share \\ASMDC\sysvol
         ......................... ASMDC passed test NetLogons

      Starting test: ObjectsReplicated

         ASMDC is in domain DC=buc,DC=edu
         Checking for CN=ASMDC,OU=Domain Controllers,DC=buc,DC=edu in domain DC=buc,DC=edu on 2 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu in domain CN=Configuration,DC=buc,DC=edu on 2 servers
            Object is up-to-date on all servers.
         ......................... ASMDC passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=buc,DC=edu
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=buc,DC=edu
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=buc,DC=edu
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=buc,DC=edu
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=buc,DC=edu
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... ASMDC passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 8604 to 1073741823
         * ASMDC.buc.edu is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 7604 to 8103
         * rIDPreviousAllocationPool is 7604 to 8103
         * rIDNextRID: 7640
         ......................... ASMDC passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... ASMDC passed test Services

      Starting test: SystemLog

         * The System Event log test
         An Warning Event occurred.  EventID: 0x825A0024

            Time Generated: 08/21/2014   00:22:16

            Event String:

            The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.

         An Warning Event occurred.  EventID: 0x8000000E

            Time Generated: 08/21/2014   00:32:29

            Event String:

            There were password errors using the Credential Manager. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the password for the credential BUC.EDU\administrator.

         An Error Event occurred.  EventID: 0x00000422

            Time Generated: 08/21/2014   00:32:29

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\buc.edu\sysvol\buc.edu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

            a) Name Resolution/Network Connectivity to the current domain controller.

            b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

            c) The Distributed File System (DFS) client has been disabled.

         ......................... ASMDC failed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=ASMDC,OU=Domain Controllers,DC=buc,DC=edu and backlink on

         CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu

         are correct.
         The system object reference (serverReferenceBL)

         CN=ASMDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=buc,DC=edu

         and backlink on

         CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu

         are correct.
         ......................... ASMDC passed test VerifyReferences

      Test omitted by user request: VerifyReplicas


   Testing server: Default-First-Site-Name\BSMDC

      Starting test: Advertising

         The DC BSMDC is advertising itself as a DC and having a DS.
         The DC BSMDC is advertising as an LDAP server
         The DC BSMDC is advertising as having a writeable directory
         The DC BSMDC is advertising as a Key Distribution Center
         The DC BSMDC is advertising as a time server
         The DS BSMDC is advertising as a GC.
         ......................... BSMDC passed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test
         ......................... BSMDC passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log.
         ......................... BSMDC passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... BSMDC passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... BSMDC passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
         Role Domain Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
         Role PDC Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
         Role Rid Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
         ......................... BSMDC passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC BSMDC on DC BSMDC.
         * SPN found :LDAP/BSMDC.buc.edu/buc.edu
         * SPN found :LDAP/BSMDC.buc.edu
         * SPN found :LDAP/BSMDC
         * SPN found :LDAP/BSMDC.buc.edu/BUC
         * SPN found :LDAP/93561cab-4fb3-421f-9a67-af6b4c280eca._msdcs.buc.edu
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/93561cab-4fb3-421f-9a67-af6b4c280eca/buc.edu
         * SPN found :HOST/BSMDC.buc.edu/buc.edu
         * SPN found :HOST/BSMDC.buc.edu
         * SPN found :HOST/BSMDC
         * SPN found :HOST/BSMDC.buc.edu/BUC
         * SPN found :GC/BSMDC.buc.edu/buc.edu
         ......................... BSMDC passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC BSMDC.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=buc,DC=edu
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=DomainDnsZones,DC=buc,DC=edu
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=buc,DC=edu
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=buc,DC=edu
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=buc,DC=edu
            (Domain,Version 3)
         ......................... BSMDC passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\BSMDC\netlogon
         Verified share \\BSMDC\sysvol
         ......................... BSMDC passed test NetLogons

      Starting test: ObjectsReplicated

         BSMDC is in domain DC=buc,DC=edu
         Checking for CN=BSMDC,OU=Domain Controllers,DC=buc,DC=edu in domain DC=buc,DC=edu on 2 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu in domain CN=Configuration,DC=buc,DC=edu on 2 servers
            Object is up-to-date on all servers.
         ......................... BSMDC passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=buc,DC=edu
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=buc,DC=edu
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=buc,DC=edu
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=buc,DC=edu
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=buc,DC=edu
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... BSMDC passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 8604 to 1073741823
         * ASMDC.buc.edu is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 8104 to 8603
         * rIDPreviousAllocationPool is 8104 to 8603
         * rIDNextRID: 8106
         ......................... BSMDC passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... BSMDC passed test Services

      Starting test: SystemLog

         * The System Event log test
         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 08/20/2014   23:52:15

            Event String:

            Driver Send To Microsoft OneNote Driver required for printer Send To OneNote 2007 is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 08/20/2014   23:52:18

            Event String:

            Driver SolidPDF XChange required for printer SolidPDF XChange is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 08/20/2014   23:52:18

            Event String:

            Driver NRG SP 3400N PCL 6 required for printer !!net_pc5!NRG SP 3400N PCL 6 is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 08/20/2014   23:52:19

            Event String:

            Driver Send To Microsoft OneNote Driver required for printer !!BUCLAPTOP1!Send To OneNote 2007 is unknown. Contact the administrator to install the driver before you log in again.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 08/20/2014   23:52:20

            Event String:

            Driver NRG SP 3400N PCL 6 required for printer !!BUCLAPTOP1!NRG SP 3400N PCL 6 is unknown. Contact the administrator to install the driver before you log in again.

         An Warning Event occurred.  EventID: 0x80000008

            Time Generated: 08/20/2014   23:52:20

            Event String:

            The jobs in the print queue for printer Microsoft XPS Document Writer (redirected 2) were deleted. No user action is required.

            To stop logging warning events for the print spooler, in Control Panel, open Printers, right-click a blank area of the window, click Run as Administrator, click Server Properties, click the Advanced tab, and then clear the Log spooler warning events check box.

         An Warning Event occurred.  EventID: 0x80000004

            Time Generated: 08/20/2014   23:52:20

            Event String:

            Printer Microsoft XPS Document Writer (redirected 2) will be deleted. No user action is required.

            To stop logging warning events for the print spooler, in Control Panel, open Printers, right-click a blank area of the window, click Run as Administrator, click Server Properties, click the Advanced tab, and then clear the Log spooler warning events check box.

         An Warning Event occurred.  EventID: 0x80000003

            Time Generated: 08/20/2014   23:52:20

            Event String:

            Printer Microsoft XPS Document Writer (redirected 2) was deleted, and users will no longer be able to print to this printer. No user action is required.

            To stop logging information events for the print spooler, in Control Panel, open Printers, right-click a blank area of the window, click Run as Administrator, click Server Properties, click the Advanced tab, and then clear the Log spooler information events check box.

         An Error Event occurred.  EventID: 0x00000457

            Time Generated: 08/20/2014   23:52:22

            Event String:

            Driver NRG SP 3400N PCL 6 required for printer !!BUCLAPTOP1!NRG SP 3400N PCL 6 (Copy 1) is unknown. Contact the administrator to install the driver before you log in again.

         ......................... BSMDC failed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=BSMDC,OU=Domain Controllers,DC=buc,DC=edu and backlink on

         CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu

         are correct.
         The system object reference (serverReferenceBL)

         CN=BSMDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=buc,DC=edu

         and backlink on

         CN=NTDS Settings,CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu

         are correct.
         ......................... BSMDC passed test VerifyReferences

      Test omitted by user request: VerifyReplicas


      Test omitted by user request: DNS

      Test omitted by user request: DNS


      Test omitted by user request: DNS

      Test omitted by user request: DNS


   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation


   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation


   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation


   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation


   Running partition tests on : buc

      Starting test: CheckSDRefDom

         ......................... buc passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... buc passed test CrossRefValidation


   Running enterprise tests on : buc.edu

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\ASMDC.buc.edu

         Locator Flags: 0xe00013fd
         PDC Name: \\ASMDC.buc.edu
         Locator Flags: 0xe00013fd
         Time Server Name: \\ASMDC.buc.edu
         Locator Flags: 0xe00013fd
         Preferred Time Server Name: \\ASMDC.buc.edu
         Locator Flags: 0xe00013fd
         KDC Name: \\ASMDC.buc.edu
         Locator Flags: 0xe00013fd
         ......................... buc.edu passed test LocatorCheck

      Starting test: Intersite

         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... buc.edu passed test Intersite

====================================================================

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\ASMDC

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 5e88f85b-15a6-4ff5-b0fd-6df748df06fd

DSA invocationID: 1355f657-cd24-4ad4-b890-f04f5c624acd



==== INBOUND NEIGHBORS ======================================



DC=buc,DC=edu

    Default-First-Site-Name\BSMDC via RPC

        DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca

        Last attempt @ 2014-08-21 00:43:56 was successful.


CN=Configuration,DC=buc,DC=edu

    Default-First-Site-Name\BSMDC via RPC

        DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca

        Last attempt @ 2014-08-21 00:41:11 was successful.



CN=Schema,CN=Configuration,DC=buc,DC=edu

    Default-First-Site-Name\BSMDC via RPC

        DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca

        Last attempt @ 2014-08-20 23:51:37 was successful.


DC=DomainDnsZones,DC=buc,DC=edu

    Default-First-Site-Name\BSMDC via RPC

        DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca

        Last attempt @ 2014-08-21 00:45:39 was successful.


DC=ForestDnsZones,DC=buc,DC=edu

    Default-First-Site-Name\BSMDC via RPC

        DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca

        Last attempt @ 2014-08-20 23:51:37 was successful.

Regards and thanks in advance

Mhiar

When I go to create a new GPO in Gorup policy management on my DC i get the following error?  Why?

this security ID may not be assigned as the owner of this object

We need to enable a setting that we can only find in the local gpedit.msc.     it is under computer\windows components\Windows Logon Options\Disable or enable software secure attention sequence

We need to set this to SERVICES.   I can't find this same setting in our Domain Group Policy Management tool.    How do you set this from the domain if the setting is not there?   Do you have to push out a script that sets it?   Or is there a .ADM file that has this setting?

mqh7

Hi everyone, 

Our domain server is running server 2008 r2. We are planning on requiring stricter passwords soon here, and i understand how to change group policy relating to passwords and everything. My question is, when I change group policy will everyone's old, now-not-complex-enough passwords continue to work and they will just have to make a conforming password next time they have to change it, or will it cause some sort of cataclysm where everyone's password suddenly doesn't work? 

Thanks, 

Pat

set objShell = CreateObject("Wscript.Shell")

result = objShell.PopUp("Would you like to log off now? [You will be logged off in 60 sec automatically, please save your work]",60,"Logoff required", vbOKCancel)

If result = 2 Then
      Wscript.echo "Logoff aborted, please log off manually"

Else
      objShell.Run "Logoff.exe"
End If

cscript C:\Auto_Logoff.vbs

Hi,

I have two 2008 R2 domain controllers in my domain. I recently changed the Domain Controllers Default Policy in order to troubleshoot a DNS problem. According to http://blogs.technet.com/b/askpfeplat/archive/2013/10/12/who-moved-the-dns-cheese-auditing-for-ad-integrated-dns-zone-and-record-deletions.aspx, I enabled the option "Audit: Force audit policy subcategory settings" and added audit of Directory Service Changes in DS Access under Advanced Audit Policy Configuration. The result was that security auditing stopped altogether, no further entries are logged in the DC's security logs.

I tried to fix that as described in http://social.technet.microsoft.com/Forums/windowsserver/en-US/0486c801-8980-4afa-8fee-8cc1409c3ee2/auditing-policy-on-2008-r2-dcs-not-working?forum=winserverDS, but nothing has changed, I am still not getting any security events. I then restored the DC Default Policy from a backup but still no success.

What else can I try?

Cheers, Georg.

HI All,

  I have Windows 2008 Std DC and installed the CA Role.

  Configure the Default Domain Policy to following 

Computer 

Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Policy Setting 
Allow users to select new root certification authorities (CAs) to trust Enabled 
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities 
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only 

USer

Create the Copy of User and Workstation template and set to  auto enrollment.

This is set for Domain Users not for Authenticated Users? In GPO security filter is set to Authenticate users.

I just create the test user but he can get only workstation cert not user cert?

As

I'm trying to switch off OneDrive using Group Policy. However the only entry is for SkyDrive, even in the most recently released ADMX files (30th June 2014) and this doesn't work for OneDrive.

I've seen screenshots of it being in Group Policy, but don't know where people have got that from. See:

Hello, I'm adding some workstations to a win 2008r2. I have set "administrators" group for "add workstation to domain"  option for default domain policy (windows settings-security settings-local policies-user right assignment).  In most cases, when I try to add a workstation to the domain, I am prompted for login, in some few cases no login is not required. I'm wondering why...

Thanks

Fabio

gents,

when adding a Client to my GPO, I just can do it one by one and always have to enable the COMPUTERS object type first which is quite time consuming on 20+ Clients.

Is there a way to enable the object type COMPUTERS by Default?

immer wieder dankbar für die TechNet Unterstützung

OK here is what I am trying to do..

Windows Server 2008 R2 Remote Desktop Services

I want to redirect all user profile folders (Desktop, Music, etc...) to a remote share \\server\share  to which the share is actually only giving Read-Only rights.  Except for Documents to which they can save there on the RDS Server itself.

I had a server drives hidden (A:, B:, C:, D:) hidden so they could only save to network shares and their local computers.  However, the people in the UK complain that saving to their local computers is just painfully slow  (the RDS Server is in the US).

So, Now I'm only blocking the Server C: drive.  I have a SUBST going on pointing B: to the user profile folders (needed for a different application anyway).  I need to have the "B:\Documents" open for these guys to save to however, I want to block saving to any of the other profile folders.

What I tried to do was to set a GPO up like below:

• Computer\Admin Templates\RDS\Session Host\Profiles
  Set path for RDS Roaming User Profile Enabled (pointing to \\Server\Share)
• User\Windows Settings\Folder Redirection\Desktop
  Basic (Redirect everyone's folder to the same location)
  Path \\Server\Share
  Grant Exclusive rights to Desktop - Disabled
  Move contents to the new location - Disabled
  Apply to older systems - Disabled

First, is what I am trying to do even workable?

Next why can't I get it working.

Hi

Is it possible to remove the Important Update notification when users log on to a 2012 RDS?

http://thewindowsclub.thewindowsclubco.netdna-cdn.com/wp-content/uploads/2013/01/logon-wu-notification.png?c2fdaa

I have tried to disable notifications and access to Windows Update, but the lock/login screen still has the message?

hi friends

when we look at any GPO in Group policy management snap-in, each GPO has these four main sections

1-software settings     2- windows settings       3- administrative templates         4- preferences

my question is, what logic or criteria exist about dividing OS settings into these four parts?

what shared characteristics exist in windows settings node & what shared characteristics exist in administrative templates node?

its confusing. because some settings about windows exist in windows settings node but some other settings which are again related to windows, are located in administrative templates node.

any help please.

thanks in advanced

Hello

I am using a startup script via GPO to copy files into locations requiring admin access (hence I can't use login scripts).  This works perfectly when the server hosting the source files is a Windows box.  However, if I move the files to a server running Solaris, it stops working.  If I run the script manually logged into a test machine it works normally.  I assume that this is some kind of authentication issue.

Does anyone have any suggestions as to why this is not working and how it can be resolved?

Thanks

Paul

I have being assigned to look into a group of users which either they belong to the same OU or different one, but looking at these MSS settings, some users can query the registry and other users can not. I have ran the gpresults and I can not find the settings explicit as others registries I might see. I know some are being configure because when I query the registry in some users I get an entry; such as

michael john ocasio

Hi

I have 300 servers Windows 2008 R2, multiple servers are modify by clients(because application server and clients is "local Admin") . The clients modify LOCAL gpos, when a client try to modify a GPOs domain, the domain GPOs is re-apply, but if my GPOs domain is "not configure" the local GPOs is apply.

I search a tool compare a "template server" with 300 servers and create a report with a  GPO difference between "my template server" and all clients servers (all server in a same domain).

Thanks

I may maybe a dumb question , but i  want to import the security setting gpo for 8.1 into a forest level 2008r2.

I know there not admx file , but i sure there a way around faster then installer a server 2012r2  pdc

cause i have all the 8 and 8.1 template import running fine 

I miss like : computer configuration/windows setting /security setting /security option 

Accounts: Block Microsoft accounts

I did try to run a export out of a w8 box but did not work.

any one have hint ?

Environment:  Shared use computers running Window 7 Professional and MS office Suite; Windows 2008 Standard server, Windows 7 EC Domain Policy and MS Office 2007 ADML Template downloaded from Microsoft. WIndows 7 Accounts OU.

I am in the process of developing a shared use computer lockdown policy for several Windows 7 computers that will made available in my client's computer lab.  I need to use a group policy setting to remove the Shut Down button on the logon screen of the Windows 7 client computers.  I am editing the Windows 7 EC Domain Policy to user accounts in a Windows 7 Accounts OU that I created.  I am using the Group Policy editor in the Group Policy Management Console.   Please let me know the best practice for accomplishing this using Group Policy editor.

Thanks.

P.S. I tried a setting recommended in the following link in the Windows 7 EC Domain Policy which did not seem to work.

http://www.windowsitpro.com/article/group-policy/can-i-use-group-policy-to-display-or-remove-the-shut-down-button-on-the-logon-screen-.aspx