Solved

Active Directory questions (3)

Posted on 2004-10-17
3
203 Views
Last Modified: 2010-04-19
Throwing around a few ideas on how to migrate to Active Directory. We have a lot of different organizations that need different levels of security. Should I start off defining the Domain Security Policy.  Then hit each OU with a GPO from there?

1.We are going to have about 20 OUs, all needing differnet security.  I can define basic things in the "domain security policy" then over ride it (WHEN NEEDED) with a GPO on the respective OU?   Can I do this with the password policy as well?  Some OUs wont need strict password policies.

2. Is it true, that if a policy is NOT defined in the Domain Security Policy(or any other GPO) then any local setting will be applied?  I know local settings are applied last and that domain policy over rides local. However, if things arent defined on the domain level, but ARE defined at the local level, then the local policy will take effect correct?

3. Is it true that the default domain policy GPO that comes installed by default (called default domain policy), is the same as the DOMAIN SECURITY POLICY snap in. Editing either will change both?

Thank you
0
Comment
Question by:dissolved
3 Comments
 
LVL 1

Accepted Solution

by:
Snakebyte earned 500 total points
ID: 12335744
Ok, I'll answer one at a time...

1.We are going to have about 20 OUs, all needing differnet security.  I can define basic things in the "domain security policy" then over ride it (WHEN NEEDED) with a GPO on the respective OU?   Can I do this with the password policy as well?  Some OUs wont need strict password policies.

A password policy defined in the Default domain will always override any policy underneath it. This is why I always suggest creating a policy under the main Domain, and separating your OU's under that one.

2. Is it true, that if a policy is NOT defined in the Domain Security Policy(or any other GPO) then any local setting will be applied?  I know local settings are applied last and that domain policy over rides local. However, if things arent defined on the domain level, but ARE defined at the local level, then the local policy will take effect correct?

A lower policy (Policy underneath another) will always take precendance with the following exceptions. A) If you have the "Block policy inheritance" on a policy, that policies above will not be applied (With exception of Domain password policy which cannot be blocked) and B) If you have the "Force Policy Propogation: (Not sure if that is what its called, but you'll get it), then the policy with this enabled will override any policies underneath it. Anything not explicity stated, will be up to the lower policies.

3. Is it true that the default domain policy GPO that comes installed by default (called default domain policy), is the same as the DOMAIN SECURITY POLICY snap in. Editing either will change both?

Bascially, Yes. Different birds of the same color.
0
 

Author Comment

by:dissolved
ID: 12335784
Thanks!  Just need clarification on number 3.
The snap in "Domain Security Policy" is the same as the Default Domain Policy (when you right click on your Domain name and  go to the GPO tab).  Defining a policy in one, will make it defined in the other?  In other words, they are/do the same thing?  Kind of confused on this.
Thanks!
0
 
LVL 21

Expert Comment

by:marc_nivens
ID: 12337697
They are the same.  Defining one should reflect changes on the other.  (BTW, points should go to snakebyte as he answered most of the questions here).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question