Domain controller vs domain security policy

Posted on 2004-11-06
Last Modified: 2010-04-19
It appears as though the 'Domain security policy' takes precedence over 'Domain Controller security policy' when I rename my administrator account.  I put a different username in each, and the 'Domain security policy' wins out.  This seems counter intuitive.  If I'm logging on to the Domain Controller with the admin account, shouldn't the 'Domain Controller security policy' have precedence?  If anyone can explain this, it would be appreciated.  
Question by:bleujaegel
    LVL 11

    Expert Comment

    is "enforce" deactivated for the "Default Domain Policy"?
    is "block policy inheritance" activated on the Servers container?
    try gpmc to analyse, which gpo does where what and why.
    LVL 2

    Author Comment

    I just tried everything that you mentioned.  I even rebooted to make sure it refreshed.  Still no luck.  I've tried everything, yet the 'Default Domain policy' always wins out.
    LVL 51

    Accepted Solution

    The Domain Controller Policy should be thought of as a local policy is to a worstation.  That being said, the Domain Policy should (and does) override all Account-based settings you make.  This is by design and cannot be blocked.

    The only thing to keep in mind about what you have experienced is that ALL (no exceptions) Account Settings are controlled strictly by the Default Domain Policy as log as you are using Domain credentials to log in.  

    Almost every other setting unrelated to Accounts can be blocked, overridden or changed further into the OU structure by different policies.  The closest Policy to the object (with repect to logical structure) applies unless a higher policy is set to, "No Override".

    Hope this helps.
    LVL 11

    Expert Comment

    @Netman66: you can block all policies, including the Defaults one. the only settings in "default domain policy" which are not blockable are the  account settings for the domain, like pwd complexity, lenght and how long till pwd change.
    LVL 51

    Expert Comment


    If you read my post again you'll see that's what I said.  

    LVL 11

    Expert Comment

    than sorry, it reads wrong for me.
    i think "rename administrator" is overrideable by other policies.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server…
    The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now