Domain Controllers Policy

MikdillyMikdilly Member Posts: 309
What is the order of precedence for Default Domain Policy and Default Domain Controllers Policy? Imported a security template into Domain controllers policy, run gpupdate but rsop still shows settings configured in default domain policy, gpresult shows:

Applied Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy

Shouldn't domain controllers policy be applied last as it's in domain controller's OU?


  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    The default DC policy should take precedence. What settings are you configuring? Some can only be configured at the domain: Group Policy application rules for domain controllers

    Some changes require a restart or two.
  • Options
    MikdillyMikdilly Member Posts: 309
    They're just a couple of password policy settings, it's from an exercise in the mspress book for 299, must have run gpupdate /force about 5 times, rebooted it maybe once, from the way gpresult shows the gpo's applied, it kind of looks like it's applying the domain policy after the domain controller policy. Trying to get gpmc onto the server to see the order applied.
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Password policies can only be set at the domain level. Check that first bullet point in the link I posted earlier.

    Actually, password policies can be set elsewhere, but they only apply to the local accounts then (which isn't what you're trying to do).
  • Options
    MikdillyMikdilly Member Posts: 309
    Here's the steps in the exercises from the book:
    (sorry if it's a lot to read thru)

    Exercise 1: Create a Security Template
    1. Log on to the cohowinery.com domain on Computer1 using the Administrator account.
    2. Create a new MMC console, and add the Security Templates snap-in.
    3. Expand the Security Templates node
    4. Right-click Security Templates, and then click New Template Search Path.
    5. In the Browse For Folder dialog box, click My Documents, and then click Make New Folder. Type the name Templates, and then click OK.
    6. Right-click the newly created template search path that will contain your new tem*plate, and click New Template.
    7. In the Template Name field, type Domain Password Requirements.
    8. Expand the Domain Password Requirements node, expand Account Policies, and then click Password Policy.
    9. In the right pane, double-click Minimum Password Length. Select Define This Policy Setting In The Template, and then specify 10 characters. Click OK.
    10. Double-click Passwords Must Meet Complexity Requirements. Select Define This Policy Setting In The Template, and then click Enabled. Click OK.
    11. Double-click Store Passwords Using Reversible Encryption. Select Define This Poicy Setting In The Template, and then click Disabled. Click OK.
    12. In the right pane, right-click Domain Password Requirements, and then click Save.

    Part 2, Import the Security template

    1. Open the Domain Controller Security Policy console.
    2. Right-click Security Settings, and then click Import Policy.
    3. In the Import Policy From dialog box, navigate to My Documents\Templates. Click Domain Password Requirements.inf, and then click Open.
    4. In the left pane, expand Account Policies, and then click Password Policy. Note that the Minimum Password Length, Password Must Meet Complexity Requirements, and Store Passwords Using Reversible Encryption policies are all defined.
    5. Close the Domain Controller Security Policy console.
    6. Click Start, and then click Run. In the Open field, type gpupdate /force, and then click OK.
    The Gpupdate tool causes Windows Server 2003 to immediately refresh Group Policy settings.
    7. After Gpupdate has finished, return to the console you created in Exercise 1 of this lesson. Right-click COMPUTER1 – RSoP, and then click Refresh Query.
    8. In the left pane of the MMC console, expand COMPUTER1 – RSoP, and then expand Computer Configuration, Windows Settings, Security Settings, and Account Policies.
    9. Click Password Policy.
    The right pane will display Computer1’s active password policies. Note the minimum password length, which should be set to 10 characters—the policy defined in the custom Domain Password Requirements security template.

    Viewing the password policy settings in the GPO for the Domain controllers OU in Active Directory does show the settings as were imported in the security template.
  • Options
    MikdillyMikdilly Member Posts: 309
    After having re-read your link a couple of times it finally hit me to see the settings in security options that will be applied from the domain controllers policy only if that same setting is defined in the domain policy. Why would the book have you do an exercise that's completely wrong?
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I believe those settings can only be applied at the domain level. There are some weird exceptions that work in odd ways, like applying a password policy to a computer OU and having it only affect the local accounts. The only way to define a password policy for domain accounts is at the domain level (at least until you upgrade to Server 2008 ).

    Dude, you can't really be telling me this is the first exercise you've found to be off after getting as far as you have. Sometimes, I wonder if they intentionally mess them up to make you research the problem and really learn the material icon_lol.gif
  • Options
    PsoasmanPsoasman Member Posts: 2,687 ■■■■■■■■■□

    I had a question in a MS book stating that I CANNOT send calculator to the desktop as a shortcutby Right-clicking on it>send to desktop.

    ....almost needless to say...it does work.... icon_wink.gif
  • Options
    MikdillyMikdilly Member Posts: 309
    Seems kind of bogus if they're going to intentionally put something in that's wrong, the material in your link should be in the book, it's frustrating and time consuming to follow an exercise and to then not have it work the way they describe it, guess i should be used to it by now, don't remember anything like this in the 290 or 291 books, makes you second guess everything they write. Maybe they think of this exam as supplemental and put their "B" team authors on it. There is an errata for this book, this isn't in it and no where on the page is there a link or an address where you can report something.
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I was just teasing about them doing it intentionally. I just figured it happened enough that there may be more to it than a simple mistake icon_lol.gif

    I checked the errata as well and didn't see it either. Oh well. While it's been frustrating, you've certainly learned the material well.
  • Options
    MikdillyMikdilly Member Posts: 309
    Just so I have the correct understanding of how the domain and domain controllers policies are applied, I tested one of the settings in your link, rename guest account, if I define the policy and give it a new name in the domain controllers policy but leave it undefined in domain policy I get an error in rsop saying 'GPO's higher in the list have the highest priority. The policy engine did not attempt to configure the setting, check winlogon.log'.

    If I define it in both domain controllers and domain policy, it applies the name used in the domain controllers policy.

    Is that how it's supposed to work?
Sign In or Register to comment.