Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

GPO at the domain level and at the Domain Controllers OU

Posted on 2004-10-25
4
Medium Priority
?
492 Views
Last Modified: 2011-09-20
Is the GPO set at the Domain Controllers OU has the same effect as at the domain level? I believe NO, but on our network we have policy set at the DC OU level and has the same effect as it was set at the domain level. example password complexity set up at the Domain Controllers OU level all other OUs are NOT child OUs of the Domain Controllers OU , but still have the policy affect them.


thanks,
0
Comment
Question by:Chuckbuchan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17
ID: 12406952
The GPO at the Domain level affects all computers/users in the Domain.  The GPO set at the domain Controllers OU only affects the Domain Controllers.

Normally you would set a Password Policy at the Domain Level and not the Domain Controller OU level.  The reason why you see the effect across the domain is that the Domain Controllers hold your Active Directory, thus setting a password policy there affects everyone accessing those Domain Controllers and those Domain Controllers are the ones that authenticate your users and push down your group policy.

Usually, you will make Domain wide policies at the Domain Level, like the Password Policy and anything else that affects everyone.  Domain Controllers Policy might be more restrictive as to who can logon locally.  You would also set your Auditing here for AD, etc., as the DC's take care of Active Directory.  Other OU's you might put specific logon scripts or folder redirection.

As for the Heirchy, it goes Forest, Site, Domain, OU and Local policy.
0
 

Author Comment

by:Chuckbuchan
ID: 12414542
The policy was already set at the domian controllers OU before I notoced it, but since it served the purpose so nobody paid attention of where it's located.
My question is which policy settings set up at the domain controllers OU that act the same way as they were set at the domain level?
the previous case scenorio was one of them.(password complexity).
0
 
LVL 2

Accepted Solution

by:
cyph earned 2000 total points
ID: 12417092
The GPO that you can define is the same across all locations it is applied.

You are wanting to look in Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policies.

That is where you can define complexity and such.

When it is applied to a machine, any account created on/under that machine would require the complexity. So you could actually move your systems around and have one system that does not require complexity, but one that does.

There is also the "Default Domain Controller Security Settings"....

In there, look under account policies, password policies.

0
 
LVL 17
ID: 12442986
I believe I had answered this question and explained why the policy set at the Domain Controllers OU on the passwords was felt across the entire domain.

"The reason why you see the effect across the domain is that the Domain Controllers hold your Active Directory, thus setting a password policy there affects everyone accessing those Domain Controllers and those Domain Controllers are the ones that authenticate your users and push down your group policy."

The question was not where you set the password complexity, etc., within group policy.
0

Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question