GPO at the domain level and at the Domain Controllers OU

Is the GPO set at the Domain Controllers OU has the same effect as at the domain level? I believe NO, but on our network we have policy set at the DC OU level and has the same effect as it was set at the domain level. example password complexity set up at the Domain Controllers OU level all other OUs are NOT child OUs of the Domain Controllers OU , but still have the policy affect them.


thanks,
ChuckbuchanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
The GPO at the Domain level affects all computers/users in the Domain.  The GPO set at the domain Controllers OU only affects the Domain Controllers.

Normally you would set a Password Policy at the Domain Level and not the Domain Controller OU level.  The reason why you see the effect across the domain is that the Domain Controllers hold your Active Directory, thus setting a password policy there affects everyone accessing those Domain Controllers and those Domain Controllers are the ones that authenticate your users and push down your group policy.

Usually, you will make Domain wide policies at the Domain Level, like the Password Policy and anything else that affects everyone.  Domain Controllers Policy might be more restrictive as to who can logon locally.  You would also set your Auditing here for AD, etc., as the DC's take care of Active Directory.  Other OU's you might put specific logon scripts or folder redirection.

As for the Heirchy, it goes Forest, Site, Domain, OU and Local policy.
0
ChuckbuchanAuthor Commented:
The policy was already set at the domian controllers OU before I notoced it, but since it served the purpose so nobody paid attention of where it's located.
My question is which policy settings set up at the domain controllers OU that act the same way as they were set at the domain level?
the previous case scenorio was one of them.(password complexity).
0
cyphCommented:
The GPO that you can define is the same across all locations it is applied.

You are wanting to look in Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policies.

That is where you can define complexity and such.

When it is applied to a machine, any account created on/under that machine would require the complexity. So you could actually move your systems around and have one system that does not require complexity, but one that does.

There is also the "Default Domain Controller Security Settings"....

In there, look under account policies, password policies.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
I believe I had answered this question and explained why the policy set at the Domain Controllers OU on the passwords was felt across the entire domain.

"The reason why you see the effect across the domain is that the Domain Controllers hold your Active Directory, thus setting a password policy there affects everyone accessing those Domain Controllers and those Domain Controllers are the ones that authenticate your users and push down your group policy."

The question was not where you set the password complexity, etc., within group policy.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.