Windows Server 2003: Domain Controller Group Policy vs Domain Group Policy

Posted on 2005-04-22
Last Modified: 2013-12-19
In Win Server 2003, what is the difference between Domain Controller Group Policy & Domain Group Policy? When logged on to the DC locally, which of these takes precedence?
Question by:scptech
    LVL 70

    Accepted Solution


    Default Domain Controller Policy defines access settings for the Domain Controllers  - DO NOT casually alter this policy, only change things you are absolutely sure about. Mistakes in this policy is one of the easier ways to break your domain and render your domain controllers inaccessible. This policy is attached to the Domain Controllers OU.

    Default Domain Policy defines security settings for the domain (password policies etc) and any other settings you want to set. This policy is attached to the Root of the domain.

    Except for Security Policies any policy attached to a child OU or container it will overwrite any settings for policies set at a higher level:

    Domain Root --- Default Domain Policy
           | --- Domain Controllers OU --- Default Domain Controllers Policy

    So Default Domain Controller Policy overwrites Default Domain Policy for any objects within the Domain Controllers OU. And logged into your DC locally that one takes precedence.

    Before going too far with that though, it's important to note that all entries in Computer Configuration apply only to Computer Accounts and all entries in User Configuration only apply to User Accounts.

    There are exceptions to this, the security settings mentioned above, and the ability to enable Loopback Policy processing which allows you to apply User Configuration to Computer Accounts.

    A more practical description would be this (since changing things here won't break anything):

    Open the Default Domain Policy and change the following policy:
    User Configuration / Administrative Templates / Start Menu and Taskbar
    Remove Help menu from the Start Menu - Enabled

    If your workstation in Windows XP do:


    And you should see the Help menu is gone.

    Now find your user account in AD (probably in Users) and make a new policy on the Users OU with the same policy, but this time, disabled:

    Domain Root --- Default Domain Policy (Remove Help Menu - Enabled)
           | --- Users --- Test Policy (Remove Help Menu - Disabled)

    GPUpdate again and the Help option should be back.

    To help generally with Group Policy it would be worth getting the Group Policy Management Console (Req: Windows XP / Windows 2003):

    This gives you a much clearer view of policies in the domain.

    For the client end Windows XP and 2003 both come with a Resultant Set of Policy tool which lets you see exactly what is being applied. To launch the tool do:


    Hope all that helps.


    Author Comment

    Chris: this is extremely helpful, thanks.

    One more question (last one, I hope): I added a user and then ran the RSOP and got the message "The user 'xxx' has no RSOP defined " : why would that happen?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
    Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now