Solved

Domain policy

Posted on 2006-06-11
14
451 Views
Last Modified: 2010-04-18
By default, if you go to administrative tools, you will see 2 things,
"Default domain controller security policy" and "Default domain security policy"
what is the difference between those two?
0
Comment
Question by:kecoak
14 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 16883012
the domain controller security policy affects domain controllers only, it is basically the replacement of the local security policy on a standard windows install (gpedit.msc)

the default domain policy affects every machine within the domain without exceptions and initally has everything as not configured
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16883013
One is the policy for the domain controllers, the other is the policy for the rest of the domain.
0
 

Author Comment

by:kecoak
ID: 16883326
what do you mean by domain controller? is it mean the computer that host the domain controller aka the server?
so in this case only user that log on to the system locally is controlled by "Domain controller security policy"
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16883369
a domain controller is the server that houses Active Directory, so yes, the domain controller policy affects it
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 16884050
Hi kecoak,

Yes the policy to logon to the domain controller locally can be set in that default domain controllers policy as described here

http://support.microsoft.com/?kbid=234237
Assign "Log On locally" Rights to Windows Domain Controller

You can also create a new policy and link it to domain controllers OU and setting it that way will work fine.
Thanks

Mike
0
 

Author Comment

by:kecoak
ID: 16890771
At first I thought that once the PC has been promoted to Domain Controller, user can't log in locally to the system because I couldn't find "local" in the login session. but This is not true (FALSE). As mentioned by JayJay, Default domain controller is the same as Local Security Policy.

This leads me to another question, Can we add a username that only work locally (not in Active Directory)
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16890777
active directory replaces your SAM database which is the local one, so in short, no, the local SAM no longer exists.....
0
 

Author Comment

by:kecoak
ID: 16890794
Ic I didn't realize that actually based on LSDOU
Local - Site - Domain - OU

OU = Default domain controller security policy
Domain = Default  Domain Security Policy
Is this correct?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16890808
local is the local machine policy - on clients that is the local policy on server its the domain controller policy   yes
Site is a policy applied at the site level, fairly uncommon
Domain is the default domain policy yes
OU is any policy you apply at an OU level, none by default
0
 

Author Comment

by:kecoak
ID: 16890921
if you go to your "active directory user and computer" then go to domain controller folder (OU), you might find domain controller policy attached on it.
0
 

Author Comment

by:kecoak
ID: 16890931
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16890934
yes you will, but the domain controllers object is a container not exactly an OU :)
0
 

Author Comment

by:kecoak
ID: 16890947
In that case , the domain controller policy will be treated as local or OU?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16890965
i had never actually sat down and though that, considering it doesnt sit on the root, you would be correct saying it is an OU policy :) DC's automatically go to that container so i never viewed it as an OU :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question