confused security levels

[ben]

Hi,

I set up a win2K domain with one DC. I want to set up some security
parameters like e.g. audit logon/logoff of users logging from WS to the
domain.
I saw there are different security levels:
- domain controller security policy
- domain security policy
- local security policy
- groups policy

What are the differences and when to use one security level instead of
another?
What's the highst level?

Thanks
Ben

 

[Guest]

the high security level is the domain policy
as the names indiacted, the difference between security
policies is where ti is applied. IE: the domain is applied
to all domain users, the local is applied only on the
computer witch is defined, and so on..

 

[Steven L Umbach]

Except for password/account policies for domain users which only can be
configured at the domain level, policy is processed in this order --
local>site>domain>organizational unit> where any policy defined at the
organizational unit level would override policy defined at the domain level
for example. Domain controllers have there own security policy/GPO where
configuration for them should be done such as auditing. Configuration for
other domain computers/users can be done at the local level or the
domain/organiztional unit level. It is usally best to configure most
settings for domain computers at the domain/OU level and not the local
level. Users/computers must be within the scope on influence of a policy
setting. For instance if you create an orgaizational unit with it's own GPO
to lock down users, then those users must be in that organizational unit
structure with the exception of loopback processing for special
tuations --- Steve