Q. RSoP (Resultant Set of Policy) on a Windows Server 2003 domain controller reports some defined security policies and Not Defined?

When you use the RSoP snap-in on a Windows Server 2003 domain controller, some security policies are reported as Not Defined even though they are.

The RSoP snap-in reports the following as Not Defined:

- Enforce password history, Maximum password age, Minimum password age, Minimum password length, Password must meet complexity requirements, and Store password using reversible encryption for all users in the domain (at Computer Configuration / Windows Settings / Security Settings / Account Policies / Password Policy).

- Account lockout duration, Account lockout threshold, and Reset account lockout counter after (at Computer Configuration / Windows Settings / Security Settings / Account Policies / Account Lockout Policy).

- Network Security: Force logoff when logon hours expire (at Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options).

This behavior occurs if the domain controller is not the PDC (Primary Domain Controller) emulator and you use the RSoP snap-in or the GPMC (Group Policy Management Console), and is by design.

To verify that the security policies are propagated to the other domain controllers, run net accounts /domain on all the other domain controllers except the PDC emulator. To identify which domain controller is the PDC enulator, run netdom query fsmo.