Solved

Active Directory questions (3)

Posted on 2004-10-17
3
201 Views
Last Modified: 2010-04-19
Throwing around a few ideas on how to migrate to Active Directory. We have a lot of different organizations that need different levels of security. Should I start off defining the Domain Security Policy.  Then hit each OU with a GPO from there?

1.We are going to have about 20 OUs, all needing differnet security.  I can define basic things in the "domain security policy" then over ride it (WHEN NEEDED) with a GPO on the respective OU?   Can I do this with the password policy as well?  Some OUs wont need strict password policies.

2. Is it true, that if a policy is NOT defined in the Domain Security Policy(or any other GPO) then any local setting will be applied?  I know local settings are applied last and that domain policy over rides local. However, if things arent defined on the domain level, but ARE defined at the local level, then the local policy will take effect correct?

3. Is it true that the default domain policy GPO that comes installed by default (called default domain policy), is the same as the DOMAIN SECURITY POLICY snap in. Editing either will change both?

Thank you
0
Comment
Question by:dissolved
3 Comments
 
LVL 1

Accepted Solution

by:
Snakebyte earned 500 total points
ID: 12335744
Ok, I'll answer one at a time...

1.We are going to have about 20 OUs, all needing differnet security.  I can define basic things in the "domain security policy" then over ride it (WHEN NEEDED) with a GPO on the respective OU?   Can I do this with the password policy as well?  Some OUs wont need strict password policies.

A password policy defined in the Default domain will always override any policy underneath it. This is why I always suggest creating a policy under the main Domain, and separating your OU's under that one.

2. Is it true, that if a policy is NOT defined in the Domain Security Policy(or any other GPO) then any local setting will be applied?  I know local settings are applied last and that domain policy over rides local. However, if things arent defined on the domain level, but ARE defined at the local level, then the local policy will take effect correct?

A lower policy (Policy underneath another) will always take precendance with the following exceptions. A) If you have the "Block policy inheritance" on a policy, that policies above will not be applied (With exception of Domain password policy which cannot be blocked) and B) If you have the "Force Policy Propogation: (Not sure if that is what its called, but you'll get it), then the policy with this enabled will override any policies underneath it. Anything not explicity stated, will be up to the lower policies.

3. Is it true that the default domain policy GPO that comes installed by default (called default domain policy), is the same as the DOMAIN SECURITY POLICY snap in. Editing either will change both?

Bascially, Yes. Different birds of the same color.
0
 

Author Comment

by:dissolved
ID: 12335784
Thanks!  Just need clarification on number 3.
The snap in "Domain Security Policy" is the same as the Default Domain Policy (when you right click on your Domain name and  go to the GPO tab).  Defining a policy in one, will make it defined in the other?  In other words, they are/do the same thing?  Kind of confused on this.
Thanks!
0
 
LVL 21

Expert Comment

by:marc_nivens
ID: 12337697
They are the same.  Defining one should reflect changes on the other.  (BTW, points should go to snakebyte as he answered most of the questions here).
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now