Default Domain Policy settings reverting back?
It had been years since I heard or thought of the term- LSDOU. That's how group policies are applied- Local, Site, Domain, OU.
One of my clients asked me to look into an odd issue where they had set their domain password policy to have a minimum of 8 characters. After some time (They weren't sure when it would revert back) the setting would change to 6 characters.
I ran through the normal process- gpresult, rsop.msc, and just generally looking a the GPO structure. Everything looked normal with no real errors to speak of. I did some thinking and decided to write down some notes. and talk to my coworker about it.
As soon as I began talking about it to my coworker the term LSDOU came to mind. I was l already thinking about looking into the DC more when I thought...... I wonder if there's something weird going on with the DC and sure enough, I found the local policy had the password policy set to 6 characters.
I decided to kill off all settings in the local policy on the domain controllers and this appears to have corrected the issue. Long story short- Don't configure settings in the local group policy objects on a domain controller. You're asking for trouble.