none
Whats the difference in setting Local Policies/Security Options in Domain Policy vs. Domain Controllers Policy?

    Question

  • Hello,

    In my Forest/Domain, what is the difference between setting the Local Policies/Security Options in the Domain Policy vs. the Domain Controllers Policy?  For that matter, User Rights Assignments as well?  Any good doc which discusses the difference?


    Thanks for your help! SdeDot

    Thursday, February 23, 2017 3:33 AM

Answers

  • Well the Default Domain Controller policy is applied to the OU that will by default contain all the domain controllers in the domain ( don't change that by the way ).

    So settings in the GPO related to accounts are for DOMAIN accounts ( password age, complexity, rights, etc. )

    Settings in the Default Domain Policy are one level higher than the Default Domain Controller Policy ( when looking at inheritance ) and thus will only apply to domain controllers if the corresponding setting isn't overridden in the Default Domain Controller policy. Any settings in the Default Domain Policy will be applied to all machines in the domain ( unless you block inheritance -> don't do that either ).

    For instance, the lockout policy in the Default Domain Policy will apply to local accounts created on Windows computers, but not domain accounts because domain accounts are subject to the lockout policies found in the Default Domain Controllers policy.

    MJ


    MJ

    • Marked as answer by SdeDot Sunday, February 26, 2017 6:58 PM
    Thursday, February 23, 2017 3:44 AM
  • Hi,

    For default domain controller policy, installing the AD DS server role creates this policy by default. It contains policy settings that apply specifically to domain controllers.

    For default domain policy, installing the AD DS server role creates this policy by default. It contains policy settings that apply to all computers and users in the domain.

    For default domain controller security settings take precedence over the default domain security settings for DCs.

    And user rights assignment setting under security settings.

    Here is a similar thread below for your reference.

    https://social.technet.microsoft.com/Forums/windows/en-US/3a20ef93-2394-4089-bc28-68f26ea79048/domain-security-policy-vs-domain-controller-security-policy?forum=winserverDS

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Jay GuModerator Thursday, February 23, 2017 6:39 AM
    • Marked as answer by SdeDot Sunday, February 26, 2017 6:58 PM
    Thursday, February 23, 2017 6:34 AM
    Moderator

All replies

  • Well the Default Domain Controller policy is applied to the OU that will by default contain all the domain controllers in the domain ( don't change that by the way ).

    So settings in the GPO related to accounts are for DOMAIN accounts ( password age, complexity, rights, etc. )

    Settings in the Default Domain Policy are one level higher than the Default Domain Controller Policy ( when looking at inheritance ) and thus will only apply to domain controllers if the corresponding setting isn't overridden in the Default Domain Controller policy. Any settings in the Default Domain Policy will be applied to all machines in the domain ( unless you block inheritance -> don't do that either ).

    For instance, the lockout policy in the Default Domain Policy will apply to local accounts created on Windows computers, but not domain accounts because domain accounts are subject to the lockout policies found in the Default Domain Controllers policy.

    MJ


    MJ

    • Marked as answer by SdeDot Sunday, February 26, 2017 6:58 PM
    Thursday, February 23, 2017 3:44 AM
  • Hi,

    For default domain controller policy, installing the AD DS server role creates this policy by default. It contains policy settings that apply specifically to domain controllers.

    For default domain policy, installing the AD DS server role creates this policy by default. It contains policy settings that apply to all computers and users in the domain.

    For default domain controller security settings take precedence over the default domain security settings for DCs.

    And user rights assignment setting under security settings.

    Here is a similar thread below for your reference.

    https://social.technet.microsoft.com/Forums/windows/en-US/3a20ef93-2394-4089-bc28-68f26ea79048/domain-security-policy-vs-domain-controller-security-policy?forum=winserverDS

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Jay GuModerator Thursday, February 23, 2017 6:39 AM
    • Marked as answer by SdeDot Sunday, February 26, 2017 6:58 PM
    Thursday, February 23, 2017 6:34 AM
    Moderator