?
Solved

Windows Server 2003: Domain Controller Group Policy vs Domain Group Policy

Posted on 2005-04-22
2
Medium Priority
?
3,085 Views
Last Modified: 2013-12-19
In Win Server 2003, what is the difference between Domain Controller Group Policy & Domain Group Policy? When logged on to the DC locally, which of these takes precedence?
0
Comment
Question by:scptech
2 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 13849269

Default Domain Controller Policy defines access settings for the Domain Controllers  - DO NOT casually alter this policy, only change things you are absolutely sure about. Mistakes in this policy is one of the easier ways to break your domain and render your domain controllers inaccessible. This policy is attached to the Domain Controllers OU.

Default Domain Policy defines security settings for the domain (password policies etc) and any other settings you want to set. This policy is attached to the Root of the domain.

Except for Security Policies any policy attached to a child OU or container it will overwrite any settings for policies set at a higher level:

Domain Root --- Default Domain Policy
       |
       | --- Domain Controllers OU --- Default Domain Controllers Policy

So Default Domain Controller Policy overwrites Default Domain Policy for any objects within the Domain Controllers OU. And logged into your DC locally that one takes precedence.

Before going too far with that though, it's important to note that all entries in Computer Configuration apply only to Computer Accounts and all entries in User Configuration only apply to User Accounts.

There are exceptions to this, the security settings mentioned above, and the ability to enable Loopback Policy processing which allows you to apply User Configuration to Computer Accounts.

A more practical description would be this (since changing things here won't break anything):

Open the Default Domain Policy and change the following policy:
User Configuration / Administrative Templates / Start Menu and Taskbar
Remove Help menu from the Start Menu - Enabled

If your workstation in Windows XP do:

Start
Run
gpupdate

And you should see the Help menu is gone.

Now find your user account in AD (probably in Users) and make a new policy on the Users OU with the same policy, but this time, disabled:

Domain Root --- Default Domain Policy (Remove Help Menu - Enabled)
       |
       | --- Users --- Test Policy (Remove Help Menu - Disabled)

GPUpdate again and the Help option should be back.

To help generally with Group Policy it would be worth getting the Group Policy Management Console (Req: Windows XP / Windows 2003):

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

This gives you a much clearer view of policies in the domain.

For the client end Windows XP and 2003 both come with a Resultant Set of Policy tool which lets you see exactly what is being applied. To launch the tool do:

Start
Run
rsop.msc

Hope all that helps.

Chris
0
 

Author Comment

by:scptech
ID: 13852365
Chris: this is extremely helpful, thanks.

One more question (last one, I hope): I added a user and then ran the RSOP and got the message "The user 'xxx' has no RSOP defined " : why would that happen?
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question