• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 461
  • Last Modified:

Domain policy

By default, if you go to administrative tools, you will see 2 things,
"Default domain controller security policy" and "Default domain security policy"
what is the difference between those two?
0
kecoak
Asked:
kecoak
1 Solution
 
Jay_Jay70Commented:
the domain controller security policy affects domain controllers only, it is basically the replacement of the local security policy on a standard windows install (gpedit.msc)

the default domain policy affects every machine within the domain without exceptions and initally has everything as not configured
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
One is the policy for the domain controllers, the other is the policy for the rest of the domain.
0
 
kecoakAuthor Commented:
what do you mean by domain controller? is it mean the computer that host the domain controller aka the server?
so in this case only user that log on to the system locally is controlled by "Domain controller security policy"
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
Jay_Jay70Commented:
a domain controller is the server that houses Active Directory, so yes, the domain controller policy affects it
0
 
Mike KlineCommented:
Hi kecoak,

Yes the policy to logon to the domain controller locally can be set in that default domain controllers policy as described here

http://support.microsoft.com/?kbid=234237
Assign "Log On locally" Rights to Windows Domain Controller

You can also create a new policy and link it to domain controllers OU and setting it that way will work fine.
Thanks

Mike
0
 
kecoakAuthor Commented:
At first I thought that once the PC has been promoted to Domain Controller, user can't log in locally to the system because I couldn't find "local" in the login session. but This is not true (FALSE). As mentioned by JayJay, Default domain controller is the same as Local Security Policy.

This leads me to another question, Can we add a username that only work locally (not in Active Directory)
0
 
Jay_Jay70Commented:
active directory replaces your SAM database which is the local one, so in short, no, the local SAM no longer exists.....
0
 
kecoakAuthor Commented:
Ic I didn't realize that actually based on LSDOU
Local - Site - Domain - OU

OU = Default domain controller security policy
Domain = Default  Domain Security Policy
Is this correct?
0
 
Jay_Jay70Commented:
local is the local machine policy - on clients that is the local policy on server its the domain controller policy   yes
Site is a policy applied at the site level, fairly uncommon
Domain is the default domain policy yes
OU is any policy you apply at an OU level, none by default
0
 
kecoakAuthor Commented:
if you go to your "active directory user and computer" then go to domain controller folder (OU), you might find domain controller policy attached on it.
0
 
Jay_Jay70Commented:
yes you will, but the domain controllers object is a container not exactly an OU :)
0
 
kecoakAuthor Commented:
In that case , the domain controller policy will be treated as local or OU?
0
 
Jay_Jay70Commented:
i had never actually sat down and though that, considering it doesnt sit on the root, you would be correct saying it is an OU policy :) DC's automatically go to that container so i never viewed it as an OU :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now