Link to home
Start Free TrialLog in
Avatar of wuitsung
wuitsungFlag for Canada

asked on

What's the difference between gpedit.msc and Default Domain Group policy?

I am wondering what's the difference between gpedit.msc and Default Domain Group policy? When I open the gpedit.msc it says "Local Computer Policy" and the "Default Domain Group policy" says "Domain Policy"......

But it seems that the gpedit.msc override the "Default Domain Group policy". For example, I made a account Group policy "Account lockout threshold = 5" in gpedit.msc and "Account lockout threshold = 10" in "Default Domain Group policy". The 5 attempts always overrride the 10. For all othe policies it's the same like this?? but why? since it's local... I am in domain enviroment..
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
are you making this setting on a DC? the default domain controllers group policy will over ride on a DC (which is the same as running gpedit.msc)......the default domain policy affects the rest of the domain
Avatar of wuitsung


As KCTS said "The default domain policy is a policy that applies to all machines/users in the domain and takes presedence over the local policy" I thought that as well. But I tested in this way. From DC, In Default group policy, I set the invalid attempts to "Not defined" and in GPEDIT.MSC I set it to 5.
However, I thought it would have unlimited attempts, but it limits to 5.
Did you run GPUPDATE/ force
Did you make sure you were logging on to the DOMAIN - not the local computer
yes. I run GPUPDATE/ force and the user is logging on domain.
But If I set a value in default domain policy, for example, 10 attempts, it will inherits to GPEDIT.MSC.... but not when it's undefined...
Yes - Thats what I would expect,
Undefined means any existing setting remains, only if the domain policy is defined with a value does it override any existing value.
ok. I got it... But there is still something is very confusing me, I think it's important to understand this.. Could you please explain the difference?

In administrative tool:
- Domain Controller security policy
- Domain security policy

In AD users and computers:
- Default Domain Controller policy (right click on domain name)
- Default Domain Controller policy (right click on DC OU)

In Run:
GPEDIT.MSC -> ( I know this now, local policy)
Sorry. Made a mistake... the  Default Domain Controller policy (right click on domain name) -> should be "Default Domain policy" (right click on domain name)
The Default Domain Policy is applied to ALL computers/user in the Domain

The Domain Controllers Security Policy is applied to Domain Controllers - or to be more accurate all machines in the Domain Controllers OU (the clue is in the name)

I know it applied to DC... but what are the difference between this 2??

In programs/administrative tool:
- Domain Controller security policy

In AD users and computers:
- Default Domain Controller policy (right click on DC OU)
Non - They are the same - you are just viewing them from different places.

BTW - if you have not downloaded and installed it get the Group Policy Managment Tool from

It makes working with group policy much easier and provides some good troubleshooting tools into the bargain.
I see.. Microsoft is really bad at naming...Thank you very much!!! how about "Domain security policy" (in Administrative tool) and "Default Domain policy" (right click on domain name)? I think it's not the same....

Its the same - slightly different view - but the same.
Ok.. that was really confusing.... thank you very much!! so I guess the name "Default Domain Controller Policy" it's just a pre-created policy object. And the "Default Domain policy" still override on it.
Am I correct with that?