Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Default domain policy vs    Domain Security Policy

Posted on 2004-11-23
Medium Priority
Last Modified: 2010-04-14
Ok, the Domain Security Policy and the Default Domain Policy GPO has me confused.

I've read conflicting things about where password policy should be applied.  I have ALWAYS defined my password policy and Account lockout policies  via  the Domain Security Policy snap in.  I never even use the Default Domain Policy GPO.
I do all of my other settings via GPOs on OUs.

Is this normal practice?


Question by:dissolved
  • 4
  • 3
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1200 total points
ID: 12659253

You're doing the right thing.

In Windows 2000 the Domain Security Policy takes precedence. That is the only place you can set security settings (such as password length etc) on a Windows 2000 Domain.

This changes on Windows 2003 Domains where those settings are shifted entirely into Group Policy and can be set under whatever policy you prefer (which can be the Default Domain Policy if you wish or a policy on an OU as you have your other settings).
LVL 20

Accepted Solution

Debsyl99 earned 800 total points
ID: 12659895
Hi Dissolved

In windows 2000 server they are effectively one and the same - just default domain policy gpo has more options available. Domain Security policy as accessed through dompol.msc is just a subset of the same options available in the default domain gpo namely - computer configuration - windows settings - security settings. Change one aspect in one snap-in and you'll see it reflected in the other snap-in. So it doesn't matter where you change it so long as you are using that sepcific subset. It is better though only to use the options available via dompol.msc as opposed to other options in the default domain policy gpo as has been said already by Chris. Other options are better configured just at the domain OU level,

Deb :))

Author Comment

ID: 12660020
Thanks guys . The thing that throws me off in the whole "Default Domain GPO vs Domain Security", is that some of the settings are similar.  Meaning, you can define them in both areas.

For example.

Here is a screen shot of my domain security policy  http://mvpbaseball.cc/dsp.jpg

And here is a screen shot of a GPO (default domain policy)  http://mvpbaseball.cc/ddp.jpg

They both have the "LOCAL POLICIES" (user righs assignments, security assignments etc).  
Where should I define these. Domain Security Policy or a GPO? Which takes precedence?


hi deb :)
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 20

Expert Comment

ID: 12660270
Hi Dissolved - Neither - they are one and the same - just default domain gpo shows more configurable options at the domain level - seriously - try it! Open both snap-ins - change something (insignificant!) on the dompol.msc then refresh the views or re-open the default domain gpo. One reflects the other in just the one area - They both have exactly the same Security settings options and settings in computer config - windows settings

(That's how I figured it out a while ago, cos the damn thing confused me too)

Author Comment

ID: 12660359
"That's how I figured it out a while ago, cos the damn thing confused me too"


Thanks again guys

Author Comment

ID: 12660370
where are you from btw Deb? london?
LVL 20

Expert Comment

ID: 12660399
Leeds originally (Yorkshire) - now live and work in Birmingham - visit London when I can and spend way, way too much money when I'm there!!! WHere you from Dissolved?

Author Comment

ID: 12660645
im from the states. But half of my family lives in Dublin, ireland and London. Going to london in spring to visit family. . Was there 3 years go, nice place.  Definitely have the best chocolate there mmmmmmmmm

I'm having more problems lol. Chris (and Deb if you're not busy) could you take a look at this when you get a chance please?


Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Welcome to 2018! Exciting things lie ahead in the world of tech. To start things off, we compiled great member articles on how to stay safe, ways to learn, and much more! Read on to start your new year right.
Integration Management Part 2
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question