Solved

Active Directory questions (3)

Posted on 2004-10-17
3
200 Views
Last Modified: 2010-04-19
Throwing around a few ideas on how to migrate to Active Directory. We have a lot of different organizations that need different levels of security. Should I start off defining the Domain Security Policy.  Then hit each OU with a GPO from there?

1.We are going to have about 20 OUs, all needing differnet security.  I can define basic things in the "domain security policy" then over ride it (WHEN NEEDED) with a GPO on the respective OU?   Can I do this with the password policy as well?  Some OUs wont need strict password policies.

2. Is it true, that if a policy is NOT defined in the Domain Security Policy(or any other GPO) then any local setting will be applied?  I know local settings are applied last and that domain policy over rides local. However, if things arent defined on the domain level, but ARE defined at the local level, then the local policy will take effect correct?

3. Is it true that the default domain policy GPO that comes installed by default (called default domain policy), is the same as the DOMAIN SECURITY POLICY snap in. Editing either will change both?

Thank you
0
Comment
Question by:dissolved
3 Comments
 
LVL 1

Accepted Solution

by:
Snakebyte earned 500 total points
Comment Utility
Ok, I'll answer one at a time...

1.We are going to have about 20 OUs, all needing differnet security.  I can define basic things in the "domain security policy" then over ride it (WHEN NEEDED) with a GPO on the respective OU?   Can I do this with the password policy as well?  Some OUs wont need strict password policies.

A password policy defined in the Default domain will always override any policy underneath it. This is why I always suggest creating a policy under the main Domain, and separating your OU's under that one.

2. Is it true, that if a policy is NOT defined in the Domain Security Policy(or any other GPO) then any local setting will be applied?  I know local settings are applied last and that domain policy over rides local. However, if things arent defined on the domain level, but ARE defined at the local level, then the local policy will take effect correct?

A lower policy (Policy underneath another) will always take precendance with the following exceptions. A) If you have the "Block policy inheritance" on a policy, that policies above will not be applied (With exception of Domain password policy which cannot be blocked) and B) If you have the "Force Policy Propogation: (Not sure if that is what its called, but you'll get it), then the policy with this enabled will override any policies underneath it. Anything not explicity stated, will be up to the lower policies.

3. Is it true that the default domain policy GPO that comes installed by default (called default domain policy), is the same as the DOMAIN SECURITY POLICY snap in. Editing either will change both?

Bascially, Yes. Different birds of the same color.
0
 

Author Comment

by:dissolved
Comment Utility
Thanks!  Just need clarification on number 3.
The snap in "Domain Security Policy" is the same as the Default Domain Policy (when you right click on your Domain name and  go to the GPO tab).  Defining a policy in one, will make it defined in the other?  In other words, they are/do the same thing?  Kind of confused on this.
Thanks!
0
 
LVL 21

Expert Comment

by:marc_nivens
Comment Utility
They are the same.  Defining one should reflect changes on the other.  (BTW, points should go to snakebyte as he answered most of the questions here).
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now