Solved

Active Directory questions (3)

Posted on 2004-10-17
3
208 Views
Last Modified: 2010-04-19
Throwing around a few ideas on how to migrate to Active Directory. We have a lot of different organizations that need different levels of security. Should I start off defining the Domain Security Policy.  Then hit each OU with a GPO from there?

1.We are going to have about 20 OUs, all needing differnet security.  I can define basic things in the "domain security policy" then over ride it (WHEN NEEDED) with a GPO on the respective OU?   Can I do this with the password policy as well?  Some OUs wont need strict password policies.

2. Is it true, that if a policy is NOT defined in the Domain Security Policy(or any other GPO) then any local setting will be applied?  I know local settings are applied last and that domain policy over rides local. However, if things arent defined on the domain level, but ARE defined at the local level, then the local policy will take effect correct?

3. Is it true that the default domain policy GPO that comes installed by default (called default domain policy), is the same as the DOMAIN SECURITY POLICY snap in. Editing either will change both?

Thank you
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 1

Accepted Solution

by:
Snakebyte earned 500 total points
ID: 12335744
Ok, I'll answer one at a time...

1.We are going to have about 20 OUs, all needing differnet security.  I can define basic things in the "domain security policy" then over ride it (WHEN NEEDED) with a GPO on the respective OU?   Can I do this with the password policy as well?  Some OUs wont need strict password policies.

A password policy defined in the Default domain will always override any policy underneath it. This is why I always suggest creating a policy under the main Domain, and separating your OU's under that one.

2. Is it true, that if a policy is NOT defined in the Domain Security Policy(or any other GPO) then any local setting will be applied?  I know local settings are applied last and that domain policy over rides local. However, if things arent defined on the domain level, but ARE defined at the local level, then the local policy will take effect correct?

A lower policy (Policy underneath another) will always take precendance with the following exceptions. A) If you have the "Block policy inheritance" on a policy, that policies above will not be applied (With exception of Domain password policy which cannot be blocked) and B) If you have the "Force Policy Propogation: (Not sure if that is what its called, but you'll get it), then the policy with this enabled will override any policies underneath it. Anything not explicity stated, will be up to the lower policies.

3. Is it true that the default domain policy GPO that comes installed by default (called default domain policy), is the same as the DOMAIN SECURITY POLICY snap in. Editing either will change both?

Bascially, Yes. Different birds of the same color.
0
 

Author Comment

by:dissolved
ID: 12335784
Thanks!  Just need clarification on number 3.
The snap in "Domain Security Policy" is the same as the Default Domain Policy (when you right click on your Domain name and  go to the GPO tab).  Defining a policy in one, will make it defined in the other?  In other words, they are/do the same thing?  Kind of confused on this.
Thanks!
0
 
LVL 21

Expert Comment

by:marc_nivens
ID: 12337697
They are the same.  Defining one should reflect changes on the other.  (BTW, points should go to snakebyte as he answered most of the questions here).
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question