EL5 - Domain Controller update to Windows Server 2025 enables LDAPS by default - How to revert Group Policy Changes


Topic/Objective

- Inability to log in to EL5.

- Error indicating incorrect password or username.

- All users affected.

Scope/Context

- Evidence Library 5 (OnPrem)

Outcome/Recommendation

EL5 - Domain Controller update to Windows Server 2025 enables LDAPS by default - How to revert Group Policy Changes

In Server Manager go to the group policy and edit the following policies to revert back changes from LDAPS enforcement:

Domain Controller Policy
===Computer Configuration
======Policies
=========Windows Settings
============Security Settings
===============Local Policies
==================Security Options
=====================Domain controller: LDAP server channel binding token requirements: "When Supported"
=====================Domain controller: LDAP server signing requirements: "None"
=====================Domain controller: LDAP server Enforce signing requirements: "Disabled"
=====================Network security: LDAP client encryption requirements: "Negotiate Sealing"
=====================Network security: LDAP client signing requirements: "Negotiate Signing" 

After updating the above policies you will need to force a group Policy Update on the Domain Controller in the cmd prompt:

157 command prompt icons - Iconfinder        gpforce /update


After update you will need to restart the Portainer containers in this order:

⚠️  Note: If you do not have access to Portainer please call 1 800-MSI-HELP for assistance.


1) Restart the  "ActiveDirectory" Container

2) Restart the "ActiveDirectory-JobSender" Container

The second container will then try to sync again with the Domain Controllers AD and will then be able to see the groups and have the correct permissions.

Issue is now Resolved.