Solved

Active Directory questions (3)

Posted on 2004-10-17
3
205 Views
Last Modified: 2010-04-19
Throwing around a few ideas on how to migrate to Active Directory. We have a lot of different organizations that need different levels of security. Should I start off defining the Domain Security Policy.  Then hit each OU with a GPO from there?

1.We are going to have about 20 OUs, all needing differnet security.  I can define basic things in the "domain security policy" then over ride it (WHEN NEEDED) with a GPO on the respective OU?   Can I do this with the password policy as well?  Some OUs wont need strict password policies.

2. Is it true, that if a policy is NOT defined in the Domain Security Policy(or any other GPO) then any local setting will be applied?  I know local settings are applied last and that domain policy over rides local. However, if things arent defined on the domain level, but ARE defined at the local level, then the local policy will take effect correct?

3. Is it true that the default domain policy GPO that comes installed by default (called default domain policy), is the same as the DOMAIN SECURITY POLICY snap in. Editing either will change both?

Thank you
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 1

Accepted Solution

by:
Snakebyte earned 500 total points
ID: 12335744
Ok, I'll answer one at a time...

1.We are going to have about 20 OUs, all needing differnet security.  I can define basic things in the "domain security policy" then over ride it (WHEN NEEDED) with a GPO on the respective OU?   Can I do this with the password policy as well?  Some OUs wont need strict password policies.

A password policy defined in the Default domain will always override any policy underneath it. This is why I always suggest creating a policy under the main Domain, and separating your OU's under that one.

2. Is it true, that if a policy is NOT defined in the Domain Security Policy(or any other GPO) then any local setting will be applied?  I know local settings are applied last and that domain policy over rides local. However, if things arent defined on the domain level, but ARE defined at the local level, then the local policy will take effect correct?

A lower policy (Policy underneath another) will always take precendance with the following exceptions. A) If you have the "Block policy inheritance" on a policy, that policies above will not be applied (With exception of Domain password policy which cannot be blocked) and B) If you have the "Force Policy Propogation: (Not sure if that is what its called, but you'll get it), then the policy with this enabled will override any policies underneath it. Anything not explicity stated, will be up to the lower policies.

3. Is it true that the default domain policy GPO that comes installed by default (called default domain policy), is the same as the DOMAIN SECURITY POLICY snap in. Editing either will change both?

Bascially, Yes. Different birds of the same color.
0
 

Author Comment

by:dissolved
ID: 12335784
Thanks!  Just need clarification on number 3.
The snap in "Domain Security Policy" is the same as the Default Domain Policy (when you right click on your Domain name and  go to the GPO tab).  Defining a policy in one, will make it defined in the other?  In other words, they are/do the same thing?  Kind of confused on this.
Thanks!
0
 
LVL 21

Expert Comment

by:marc_nivens
ID: 12337697
They are the same.  Defining one should reflect changes on the other.  (BTW, points should go to snakebyte as he answered most of the questions here).
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question