Local group policy of domain controller

Posted on 2011-10-15
Last Modified: 2012-05-12
When I go to the local group policy of my domain controller I see for most of the security settings (e.g. audit account logon events) Not Defined.

What does it means? It means that the Default domain policy is applied to locally to my domain controller and that no specific (more hardened) policies have been applied locally?
Question by:darkbluegr
    LVL 17

    Assisted Solution

    Domain Controllers by default will get both the Default Domain Controller Policy, plus Default Domain Policy, because of the location of the Domain Controllers OU, and the links which are there.  When the Domain Controllers start, they will see both policies and apply them during their startup.

    You can verify what policies were applied by logging onto the domain controller and at a command prompt typing

    gpresult /SCOPE COMPUTER /Z

    Open in new window

    You will see all the effective applied settings.

    All policies are applied in the order of Local, Site, Domain and then OU.  Just because a setting is missing from the "Local Policy" doesn't mean it's not applied elsewhere.  Use the GPRESULT to see all applied policies.
    LVL 20

    Accepted Solution

    By default,
    - domain controllers are placed in the "Domain Controllers" OU in AD,
    -  that OU blocks inheritance of GPOs e.g. from yourdomain.local
    -  that OU is assigne a "default Domain Controllers Policy" (which differs from the "Default Domain Policy")

    As with the Default Domain Policy, it is recommened not to alter the Default Domain Controller Policy object but rather to creata a new policy object and modify that.
    It seem sthe settings in the Default DomainControllers Policy are in
    Password requirement, various settings under Audit Policy and User Rights Assignemen and a few Security options.
    In fact, there are more settings in the Default Domain Policy

    The setting you mentioned (audit account logon events) is in the Default Domain Controller Policy.
    Thus, if the setting is not active for your DC, check
    - is the DC in the correct OU?
    - is the Deafult Domain Controller Policy assigned to that OU?
    - is there nothing else that overrides?
    You probably know how to use the "Resultant Set of Policy" planning tool to debug such assignments?

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now