Solved

GPO at the domain level and at the Domain Controllers OU

Posted on 2004-10-25
461 Views
Last Modified: 2011-09-20
Is the GPO set at the Domain Controllers OU has the same effect as at the domain level? I believe NO, but on our network we have policy set at the DC OU level and has the same effect as it was set at the domain level. example password complexity set up at the Domain Controllers OU level all other OUs are NOT child OUs of the Domain Controllers OU , but still have the policy affect them.


thanks,
0
Question by:Chuckbuchan
    4 Comments
     
    LVL 16

    Expert Comment

    by:samccarthy
    The GPO at the Domain level affects all computers/users in the Domain.  The GPO set at the domain Controllers OU only affects the Domain Controllers.

    Normally you would set a Password Policy at the Domain Level and not the Domain Controller OU level.  The reason why you see the effect across the domain is that the Domain Controllers hold your Active Directory, thus setting a password policy there affects everyone accessing those Domain Controllers and those Domain Controllers are the ones that authenticate your users and push down your group policy.

    Usually, you will make Domain wide policies at the Domain Level, like the Password Policy and anything else that affects everyone.  Domain Controllers Policy might be more restrictive as to who can logon locally.  You would also set your Auditing here for AD, etc., as the DC's take care of Active Directory.  Other OU's you might put specific logon scripts or folder redirection.

    As for the Heirchy, it goes Forest, Site, Domain, OU and Local policy.
    0
     

    Author Comment

    by:Chuckbuchan
    The policy was already set at the domian controllers OU before I notoced it, but since it served the purpose so nobody paid attention of where it's located.
    My question is which policy settings set up at the domain controllers OU that act the same way as they were set at the domain level?
    the previous case scenorio was one of them.(password complexity).
    0
     
    LVL 2

    Accepted Solution

    by:
    The GPO that you can define is the same across all locations it is applied.

    You are wanting to look in Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policies.

    That is where you can define complexity and such.

    When it is applied to a machine, any account created on/under that machine would require the complexity. So you could actually move your systems around and have one system that does not require complexity, but one that does.

    There is also the "Default Domain Controller Security Settings"....

    In there, look under account policies, password policies.

    0
     
    LVL 16

    Expert Comment

    by:samccarthy
    I believe I had answered this question and explained why the policy set at the Domain Controllers OU on the passwords was felt across the entire domain.

    "The reason why you see the effect across the domain is that the Domain Controllers hold your Active Directory, thus setting a password policy there affects everyone accessing those Domain Controllers and those Domain Controllers are the ones that authenticate your users and push down your group policy."

    The question was not where you set the password complexity, etc., within group policy.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now