Difference between "Local" and "Effective" Paswword Policy

We just got an internal audit, and I was asked to print out our Default Domain Password Policy.  I have it set to remember the last 6 passwords, change every 60 days, minimum of 1 day, and must be at least 6 characters.  This shows correctly under "Effective", but under "Local", the settings are different and much more "relaxed".  If I remember right, "Effective" is what is in use, and "Local" is just the policy for the actual DC server itself, no?  This is when I look at the settings on the actual DC itself.  If I go to AD Users and Computers>Mydomain>(right-click)Properties>Group Policy>Computer Config>Windows Settings>Security Settings>Password Policy, everything looks correct.  I want to make sure before I tell them that they're looking at the "wrong" setting.  Thanks.
tenoverAsked:
Who is Participating?
 
msiceConnect With a Mentor Commented:
Yes local is for the local computer account. The Default Domain Password Policy is for the domain. So if you login localy to a computer it will use the "relaxed" local polocy.  
0
 
shinds57Commented:
You are correct. They should know that DC's have their own Default Domain Controller GPO. This policy allows you to log on locally as a Domain Admin and nobody else can log in locally to the DC.

shinds57
0
 
tenoverAuthor Commented:
Thanks.  Just wanted to double check.
0
All Courses

From novice to tech pro — start learning today.