Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Domain policy

Posted on 2006-06-11
14
Medium Priority
?
456 Views
Last Modified: 2010-04-18
By default, if you go to administrative tools, you will see 2 things,
"Default domain controller security policy" and "Default domain security policy"
what is the difference between those two?
0
Comment
Question by:kecoak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 2000 total points
ID: 16883012
the domain controller security policy affects domain controllers only, it is basically the replacement of the local security policy on a standard windows install (gpedit.msc)

the default domain policy affects every machine within the domain without exceptions and initally has everything as not configured
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 16883013
One is the policy for the domain controllers, the other is the policy for the rest of the domain.
0
 

Author Comment

by:kecoak
ID: 16883326
what do you mean by domain controller? is it mean the computer that host the domain controller aka the server?
so in this case only user that log on to the system locally is controlled by "Domain controller security policy"
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16883369
a domain controller is the server that houses Active Directory, so yes, the domain controller policy affects it
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 16884050
Hi kecoak,

Yes the policy to logon to the domain controller locally can be set in that default domain controllers policy as described here

http://support.microsoft.com/?kbid=234237
Assign "Log On locally" Rights to Windows Domain Controller

You can also create a new policy and link it to domain controllers OU and setting it that way will work fine.
Thanks

Mike
0
 

Author Comment

by:kecoak
ID: 16890771
At first I thought that once the PC has been promoted to Domain Controller, user can't log in locally to the system because I couldn't find "local" in the login session. but This is not true (FALSE). As mentioned by JayJay, Default domain controller is the same as Local Security Policy.

This leads me to another question, Can we add a username that only work locally (not in Active Directory)
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16890777
active directory replaces your SAM database which is the local one, so in short, no, the local SAM no longer exists.....
0
 

Author Comment

by:kecoak
ID: 16890794
Ic I didn't realize that actually based on LSDOU
Local - Site - Domain - OU

OU = Default domain controller security policy
Domain = Default  Domain Security Policy
Is this correct?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16890808
local is the local machine policy - on clients that is the local policy on server its the domain controller policy   yes
Site is a policy applied at the site level, fairly uncommon
Domain is the default domain policy yes
OU is any policy you apply at an OU level, none by default
0
 

Author Comment

by:kecoak
ID: 16890921
if you go to your "active directory user and computer" then go to domain controller folder (OU), you might find domain controller policy attached on it.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16890934
yes you will, but the domain controllers object is a container not exactly an OU :)
0
 

Author Comment

by:kecoak
ID: 16890947
In that case , the domain controller policy will be treated as local or OU?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16890965
i had never actually sat down and though that, considering it doesnt sit on the root, you would be correct saying it is an OU policy :) DC's automatically go to that container so i never viewed it as an OU :)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question