Domain Controller Security Policy

Hi all,
I have not studied yet in depht Group policies, then my question.

When we create a domain, there are two Group Policy objects at level Domain Controller and Domain respectively and I wanted to ask an introductory explanation on what is the difference between them, not really straightforward for me.
I understood that Domain Security Policy is the policy for the entire domain (expecially clients computers and users), while Domain Controller Security Policy are policies for all the Domain controllers eventually present in the Domain, then it sound similar to a LOCAL policy (clients not affected) that affect local settings and parameters, like auditing for local resources.

Is this correct?

Thank You.

rjb

Find more posts tagged with

Comments

dynamik

Every machine has a local policy that effects only that machine. It doesn't matter whether the machine is a client, server, DC, etc.

It might help to think of an OU that automatically and exclusively contains all DCs, and the domain controller security policy applies only to that OU. This OU obviously doesn't exist, but that's effectively how the default domain controller security policy works.

Focus on getting a good, general understanding of GPOs in 290, but don't worry about learning everything yet. You'll go more in-depth in 294.

rjbarlow

Hello dynamik, can we say that Domian controller Security policy is the Local policy for a domain controller, when we create a domain?

dynamik

No, because the domain controllers will still have a local policy as well. GPOs can be applied locally as well as at the site, domain, and OU, and that is the order they are applied as well. For example, if the same setting is defined locally and at the domain, the setting in the domain will take precedence if there is a conflict. There are exceptions and advanced settings that can change this, but that's the default behavior.

Local GPOs are rarely used in domain environments because they add a lot of administrative overhead. A special situation might arise where you need a specific setting on just one machine, but GPOs are typically assigned to sites, domains, and OUs.

rjbarlow

Well, I think to understand well now;
practically the default Domian Controller Security policy is a Policy that contains settings that expand to all the domain controllers in the domain simply (or whatever I store in the OU Domain Controllers).
Very appreciate.

Thank You.

dynamik

rjbarlow wrote:

the default Domian Controller Security policy is a Policy that contains settings that expand to all the domain controllers in the domain

That part is correct, but there is no actual OU for this. I just offered that as an example to help you see how it works (and it looks like I confused you more in the process - sorry!). You can't apply the domain controller security policy to any thing other than the domain controllers.

rjbarlow

Oh, don't worry man, one other information more, thanks again!