Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Local group policy of domain controller

Posted on 2011-10-15
Medium Priority
Last Modified: 2012-05-12
When I go to the local group policy of my domain controller I see for most of the security settings (e.g. audit account logon events) Not Defined.

What does it means? It means that the Default domain policy is applied to locally to my domain controller and that no specific (more hardened) policies have been applied locally?
Question by:darkbluegr
LVL 18

Assisted Solution

LesterClayton earned 1000 total points
ID: 36972814
Domain Controllers by default will get both the Default Domain Controller Policy, plus Default Domain Policy, because of the location of the Domain Controllers OU, and the links which are there.  When the Domain Controllers start, they will see both policies and apply them during their startup.

You can verify what policies were applied by logging onto the domain controller and at a command prompt typing


Open in new window

You will see all the effective applied settings.

All policies are applied in the order of Local, Site, Domain and then OU.  Just because a setting is missing from the "Local Policy" doesn't mean it's not applied elsewhere.  Use the GPRESULT to see all applied policies.
LVL 20

Accepted Solution

thehagman earned 1000 total points
ID: 36972816
By default,
- domain controllers are placed in the "Domain Controllers" OU in AD,
-  that OU blocks inheritance of GPOs e.g. from yourdomain.local
-  that OU is assigne a "default Domain Controllers Policy" (which differs from the "Default Domain Policy")

As with the Default Domain Policy, it is recommened not to alter the Default Domain Controller Policy object but rather to creata a new policy object and modify that.
It seem sthe settings in the Default DomainControllers Policy are in
Password requirement, various settings under Audit Policy and User Rights Assignemen and a few Security options.
In fact, there are more settings in the Default Domain Policy

The setting you mentioned (audit account logon events) is in the Default Domain Controller Policy.
Thus, if the setting is not active for your DC, check
- is the DC in the correct OU?
- is the Deafult Domain Controller Policy assigned to that OU?
- is there nothing else that overrides?
You probably know how to use the "Resultant Set of Policy" planning tool to debug such assignments?

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question