kecoak
asked on
Domain policy
By default, if you go to administrative tools, you will see 2 things,
"Default domain controller security policy" and "Default domain security policy"
what is the difference between those two?
"Default domain controller security policy" and "Default domain security policy"
what is the difference between those two?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Lee W, MVP
One is the policy for the domain controllers, the other is the policy for the rest of the domain.
ASKER
what do you mean by domain controller? is it mean the computer that host the domain controller aka the server?
so in this case only user that log on to the system locally is controlled by "Domain controller security policy"
so in this case only user that log on to the system locally is controlled by "Domain controller security policy"
a domain controller is the server that houses Active Directory, so yes, the domain controller policy affects it
Hi kecoak,
Yes the policy to logon to the domain controller locally can be set in that default domain controllers policy as described here
http://support.microsoft.com/?kbid=234237
Assign "Log On locally" Rights to Windows Domain Controller
You can also create a new policy and link it to domain controllers OU and setting it that way will work fine.
Thanks
Mike
Yes the policy to logon to the domain controller locally can be set in that default domain controllers policy as described here
http://support.microsoft.com/?kbid=234237
Assign "Log On locally" Rights to Windows Domain Controller
You can also create a new policy and link it to domain controllers OU and setting it that way will work fine.
Thanks
Mike
ASKER
At first I thought that once the PC has been promoted to Domain Controller, user can't log in locally to the system because I couldn't find "local" in the login session. but This is not true (FALSE). As mentioned by JayJay, Default domain controller is the same as Local Security Policy.
This leads me to another question, Can we add a username that only work locally (not in Active Directory)
This leads me to another question, Can we add a username that only work locally (not in Active Directory)
active directory replaces your SAM database which is the local one, so in short, no, the local SAM no longer exists.....
ASKER
Ic I didn't realize that actually based on LSDOU
Local - Site - Domain - OU
OU = Default domain controller security policy
Domain = Default Domain Security Policy
Is this correct?
Local - Site - Domain - OU
OU = Default domain controller security policy
Domain = Default Domain Security Policy
Is this correct?
local is the local machine policy - on clients that is the local policy on server its the domain controller policy yes
Site is a policy applied at the site level, fairly uncommon
Domain is the default domain policy yes
OU is any policy you apply at an OU level, none by default
Site is a policy applied at the site level, fairly uncommon
Domain is the default domain policy yes
OU is any policy you apply at an OU level, none by default
ASKER
if you go to your "active directory user and computer" then go to domain controller folder (OU), you might find domain controller policy attached on it.
ASKER
yes you will, but the domain controllers object is a container not exactly an OU :)
ASKER
In that case , the domain controller policy will be treated as local or OU?
i had never actually sat down and though that, considering it doesnt sit on the root, you would be correct saying it is an OU policy :) DC's automatically go to that container so i never viewed it as an OU :)