Windows Server 2003: Domain Controller Group Policy vs Domain Group Policy

In Win Server 2003, what is the difference between Domain Controller Group Policy & Domain Group Policy? When logged on to the DC locally, which of these takes precedence?
Who is Participating?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Default Domain Controller Policy defines access settings for the Domain Controllers  - DO NOT casually alter this policy, only change things you are absolutely sure about. Mistakes in this policy is one of the easier ways to break your domain and render your domain controllers inaccessible. This policy is attached to the Domain Controllers OU.

Default Domain Policy defines security settings for the domain (password policies etc) and any other settings you want to set. This policy is attached to the Root of the domain.

Except for Security Policies any policy attached to a child OU or container it will overwrite any settings for policies set at a higher level:

Domain Root --- Default Domain Policy
       | --- Domain Controllers OU --- Default Domain Controllers Policy

So Default Domain Controller Policy overwrites Default Domain Policy for any objects within the Domain Controllers OU. And logged into your DC locally that one takes precedence.

Before going too far with that though, it's important to note that all entries in Computer Configuration apply only to Computer Accounts and all entries in User Configuration only apply to User Accounts.

There are exceptions to this, the security settings mentioned above, and the ability to enable Loopback Policy processing which allows you to apply User Configuration to Computer Accounts.

A more practical description would be this (since changing things here won't break anything):

Open the Default Domain Policy and change the following policy:
User Configuration / Administrative Templates / Start Menu and Taskbar
Remove Help menu from the Start Menu - Enabled

If your workstation in Windows XP do:


And you should see the Help menu is gone.

Now find your user account in AD (probably in Users) and make a new policy on the Users OU with the same policy, but this time, disabled:

Domain Root --- Default Domain Policy (Remove Help Menu - Enabled)
       | --- Users --- Test Policy (Remove Help Menu - Disabled)

GPUpdate again and the Help option should be back.

To help generally with Group Policy it would be worth getting the Group Policy Management Console (Req: Windows XP / Windows 2003):

This gives you a much clearer view of policies in the domain.

For the client end Windows XP and 2003 both come with a Resultant Set of Policy tool which lets you see exactly what is being applied. To launch the tool do:


Hope all that helps.

scptechAuthor Commented:
Chris: this is extremely helpful, thanks.

One more question (last one, I hope): I added a user and then ran the RSOP and got the message "The user 'xxx' has no RSOP defined " : why would that happen?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.