Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 273
  • Last Modified:

Domain controller vs domain security policy

It appears as though the 'Domain security policy' takes precedence over 'Domain Controller security policy' when I rename my administrator account.  I put a different username in each, and the 'Domain security policy' wins out.  This seems counter intuitive.  If I'm logging on to the Domain Controller with the admin account, shouldn't the 'Domain Controller security policy' have precedence?  If anyone can explain this, it would be appreciated.  
0
bleujaegel
Asked:
bleujaegel
  • 3
  • 2
1 Solution
 
WeHeCommented:
is "enforce" deactivated for the "Default Domain Policy"?
is "block policy inheritance" activated on the Servers container?
try gpmc to analyse, which gpo does where what and why.
0
 
bleujaegelAuthor Commented:
I just tried everything that you mentioned.  I even rebooted to make sure it refreshed.  Still no luck.  I've tried everything, yet the 'Default Domain policy' always wins out.
0
 
Netman66Commented:
The Domain Controller Policy should be thought of as a local policy is to a worstation.  That being said, the Domain Policy should (and does) override all Account-based settings you make.  This is by design and cannot be blocked.

The only thing to keep in mind about what you have experienced is that ALL (no exceptions) Account Settings are controlled strictly by the Default Domain Policy as log as you are using Domain credentials to log in.  

Almost every other setting unrelated to Accounts can be blocked, overridden or changed further into the OU structure by different policies.  The closest Policy to the object (with repect to logical structure) applies unless a higher policy is set to, "No Override".

Hope this helps.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
WeHeCommented:
@Netman66: you can block all policies, including the Defaults one. the only settings in "default domain policy" which are not blockable are the  account settings for the domain, like pwd complexity, lenght and how long till pwd change.
0
 
Netman66Commented:
WeHe,  

If you read my post again you'll see that's what I said.  

0
 
WeHeCommented:
than sorry, it reads wrong for me.
i think "rename administrator" is overrideable by other policies.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now