No announcement yet.

Multiple group policies? Where to apply

  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple group policies? Where to apply

    If I am logged on to my DC, I can go to admin tools and choose domain controller security policy. I thought this was a shortcut to the actual domain controller security policy linked to the dc ou in ad users and computers. I guess I am wrong. I made a change to the domain controller security policy in admin tools and it doesn't reflect the change in the policy linked to the ou. Is this correct? Is something wrong is there really an extra place to apply group policy?

  • #2

    no, it is suppose to be the same thing. you can see it by the name of the policy that applies on the DC container - called Domain Controller policy.
    Yaniv Feldman
    Microsoft Security Regional Director
    Microsoft Management Expert


    • #3
      It's the same result, only different way to reach it. Please remember if policy for one OU and the others are different. It's required times to applying those setting to your network clients, depends to your setting.
      Check those setting under Computer Configuration-Administrative Templates-System-Group Policy.
      And remember if GPO have an order to execute, make sure if you're not override your own policy.


      • #4
        Ok, I thought it was supposed to be that way. That means I have some other problem.

        Here is the deal. when I open up the Domain Controller Security Policy by going to programs, andmin tools, then Domain Controller Security Policy and view the settings, they are different from the GPO that is applied to the domain controller ou. I thgout maybe policies had been removed and then impoperly applied, mismatched. I used gpmc and compared the settings in every policy that shows up and none of them match the settings in my Domain Controller Security Policy.

        Do you have any idea what is going on?

        Thanks for you help.


        • #5
          No, that because they are different. The first one is Domain Controller GPO and the second is Domain GPO for OU. There are some types of GPO: Local Security Policy, Domain Controller Security Policy and Domain Security Policy. It's applied to a different scope, that's why you found if a setting are diffrent. GPO has an order to execute, it's Local Security Policy, Sites,Domain, and OU. The last one is the latest to execute, so please make sure if you're not over ride you're own policy. For example, you're setup minimum password policy=7 in Domain GPO then you're setup the same policy=3 in OU GPO, which one applying to your OU member? It's the OU GPO (3) because it's execute the latest. And about you're question (first post) please be care full to assumed about which one Domain Controller Policy or others when open GPO from ADUC, it's depend where you're pointing at. For example, if you want to edit Domain Controller GPO, point your mouse in Domain Controller folder, right click, Properties, GPO, edit. Now you're editing GPO for Domain Controller (only applied to a domain controller computer), etc. Hope you're clear about that, and remember if it's required times to get a new setting applied in to your network servers/clients.


          • #6
            For example, you're setup minimum password policy=7 in Domain GPO
            This is a bad example - password policies can be configured ONLY at domain (not OU and not site) level.
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"


            • #7
              Ouu....I learn something new again, thanks for correcting me Guy.I used a policy that I remembered at that time without test it to explain about override possibility.


              • #8
                Re: Multiple group policies? Where to apply


                but it's possible to use password policy at OU level!

                but this one will only impact local users