Re: Domain Controller Security Policy vs. Domain Security Policy

From: Simon Geary (simon_geary_at_hotmail.com)
Date: 01/27/04 

Date: Tue, 27 Jan 2004 10:14:26 +0100

>
> I've glanced at the article you mention. It doesn't specifically
> refer to controller-level (DDCSP) and it seems to imply that it's
> best/strongest to set policy at the domain-level (DDSP). For
> example, I think it says that if there's a rights conflict
> OU-level and Domain-level, Domain wins. Do I have that right?

Generally speaking, an OU level GPO will win over a domain level one though
there are exceptions. Group Policies are applied in this order: Local Policy
> Site GPO > Domain GPO > OU GPO > Child OU GPO. (DDCSP is an OU level GPO).
This means that the ultimate winning GPO would be a child OU GPO.
So a setting could be turned on at the local level, then off at the domain
level, then on again at the site level and so on until the last GPO to be
applied turns it off again.
But as I said there are exceptions. You can use the No Overide and Block
Policy Inheritance switches to force a particular setting to be predominant
from anywhere in the chain but this complicates things graetly and these
should be used sparingly if at all..
And of course there are certain settings such as password policy that can
only be defined in the domain GPO.

Best practice is to do most of your GPO configuration at the OU level.

>
> But what I'm finding a bit puzzling is that ADMT seems to migrate
> NT's domain level user rights to AD's DDCSP rather than DDSP.
> Why? That is one reason why I previously made the assumption that
> DDCSP was the place to do most of the user rights policy stuff.

You do not configure user rights at the DDCSP level, this will not work.
Remember that the DDCSP will only apply to domain controllers themselves and
to the users who interactively log on at the console of the domain
controllers. None of your average users are going to be logging on to the
DC's so any setting you make here will never affect most users. The only
settings I tend to use in DDCSP are some extra security policies, not many
and nothing too fancy.

http://support.microsoft.com/?id=259576 has more details on DDCSP

>
> Hmm....
>
> -Rich
>
> "Simon Geary" <simon_geary@hotmail.com> wrote in message
> news:OupOe4A4DHA.632@TK2MSFTNGP12.phx.gbl...
> > For even the smallest AD installation you will require a Domain
> Security
> > Policy and a Domain Controller Security Policy. The domain
> policy is applied
> > to the domain itself and therefore affects everything in that
> domain,
> > including domain controllers.
> > The domain controller security policy is applied to the domain
> controllers
> > OU only and hence only affects DC's.
> >
> > You should make changes to User Rights Assignments etc. to the
> domain
> > policy, not the domain controller policy. This KB describes what
> you should
> > be changing in the domain policy.
> http://support.microsoft.com/?id=221930
> >
> > Remember that the domain controller policy will only apply to
> DC's, not to
> > other servers or even users.
> >
> > "Rich Roller" <rich_roller@*REMOVE-THIS*whitney.org> wrote in
> message
> > news:%23kY$5d63DHA.1672@TK2MSFTNGP12.phx.gbl...
> > > Can someone explain what the difference is between "Default
> Domain
> > > Controller Security Policy" and "Default Domain Security
> Policy"
> > > and confirm which one I should be using for a simple single
> > > domain, dual DC LAN?
> > >
> > > What I presume is that Default Domain Controller Security
> Policy
> > > (DDCSP) is the place one should go to make edits to your
> domain
> > > policy (e.g. User Rights Assgnmt: Logon Locally, Pswd.Policy:
> > > Min.Pswd.Age). It's also apparent that ADMT, when it migrates
> > > User Rights, edits the DDCSP. And I'm assuming that any
> changes
> > > made under DDCSP will get replicated to and used on the other
> DC.
> > > Are all 3 things true?
> > >
> > > So then what about Default Domain Security Policy (DDSP)? I'm
> > > guessing that it's some sort of higher level default settings
> but
> > > it's not clear to me how it is applied or used.
> > >
> > > Thanks for any clarification, references to articles/papers,
> etc.
> > >
> > > TIA,
> > >
> > > Rich
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Domain Controller Security Policy vs. Domain Security Policy
    ... You're saying that setting UserRights at the DDCSP is ... company/domain will get the same policy. ... level GPO). ... > Remember that the DDCSP will only apply to domain controllers ...
    (microsoft.public.windows.server.security)
  • Re: Domain Controller Security Policy vs. Domain Security Policy
    ... NT's domain level user rights to AD's DDCSP rather than DDSP. ... DDCSP was the place to do most of the user rights policy stuff. ... > Policy and a Domain Controller Security Policy. ...
    (microsoft.public.windows.server.security)
  • Re: USERENV error - Group Policy
    ... policy object in AD. ... folder and GPO, returning the security to normal settings, did another GP ... -Domain controllers have read/apply on DC policy (this policy includes the ... If Clients Windows 2003,Xp,2000: ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to allow users to create groups and shares
    ... Add the user/group to the Computer configuration, windows settings, security settings, Local policies, "Allow logon locally" in the Default domain controllers policy and on a existing or new created policy for the member servers. ... Filtering: Not Applied ... check with GPMC on the server or from a client the policy settings. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Possible Bad Question
    ... >> computers in the built-in Domain Controllers OU. ... >>> Computer settings in a policy are applied at startup... ... >>>> policy to lock out Jennifer's local user account after three bad ... >>>> lockout Jennifer's Domain Account after two bad logon attempts. ...
    (microsoft.public.cert.exam.mcse)