Default domain policy vs Domain Security Policy

Ok, the Domain Security Policy and the Default Domain Policy GPO has me confused.

I've read conflicting things about where password policy should be applied.  I have ALWAYS defined my password policy and Account lockout policies  via  the Domain Security Policy snap in.  I never even use the Default Domain Policy GPO.
I do all of my other settings via GPOs on OUs.

Is this normal practice?


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

You're doing the right thing.

In Windows 2000 the Domain Security Policy takes precedence. That is the only place you can set security settings (such as password length etc) on a Windows 2000 Domain.

This changes on Windows 2003 Domains where those settings are shifted entirely into Group Policy and can be set under whatever policy you prefer (which can be the Default Domain Policy if you wish or a policy on an OU as you have your other settings).
Hi Dissolved

In windows 2000 server they are effectively one and the same - just default domain policy gpo has more options available. Domain Security policy as accessed through dompol.msc is just a subset of the same options available in the default domain gpo namely - computer configuration - windows settings - security settings. Change one aspect in one snap-in and you'll see it reflected in the other snap-in. So it doesn't matter where you change it so long as you are using that sepcific subset. It is better though only to use the options available via dompol.msc as opposed to other options in the default domain policy gpo as has been said already by Chris. Other options are better configured just at the domain OU level,

Deb :))

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dissolvedAuthor Commented:
Thanks guys . The thing that throws me off in the whole "Default Domain GPO vs Domain Security", is that some of the settings are similar.  Meaning, you can define them in both areas.

For example.

Here is a screen shot of my domain security policy

And here is a screen shot of a GPO (default domain policy)

They both have the "LOCAL POLICIES" (user righs assignments, security assignments etc).  
Where should I define these. Domain Security Policy or a GPO? Which takes precedence?


hi deb :)
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Hi Dissolved - Neither - they are one and the same - just default domain gpo shows more configurable options at the domain level - seriously - try it! Open both snap-ins - change something (insignificant!) on the dompol.msc then refresh the views or re-open the default domain gpo. One reflects the other in just the one area - They both have exactly the same Security settings options and settings in computer config - windows settings

(That's how I figured it out a while ago, cos the damn thing confused me too)
dissolvedAuthor Commented:
"That's how I figured it out a while ago, cos the damn thing confused me too"


Thanks again guys
dissolvedAuthor Commented:
where are you from btw Deb? london?
Leeds originally (Yorkshire) - now live and work in Birmingham - visit London when I can and spend way, way too much money when I'm there!!! WHere you from Dissolved?
dissolvedAuthor Commented:
im from the states. But half of my family lives in Dublin, ireland and London. Going to london in spring to visit family. . Was there 3 years go, nice place.  Definitely have the best chocolate there mmmmmmmmm

I'm having more problems lol. Chris (and Deb if you're not busy) could you take a look at this when you get a chance please?

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.