Possibly. Domain Controller Security Policy has all user rights assignments
configured which means any changes at the domain level to user rights will not affect
domain controllers. However security options with one or two exceptions are not
defined at the Domain Controller Security Policy level and is a place where you can
get yourself in trouble, especially if you are not a pure W2K network. The same is
true with most of the other settings. Configuring ipsec policy at the domain level
could cause a lot of problems in the domain if you configure require or request.
Since there are no users in the domain controller container, user configuration
defined settings at the domain level would not matter anyway and keep in mind that
password/account policy can only be enabled at the domain level for domain accounts
and will be ignored at all other levels except for local accounts.
I would also suggest that you not configure the default domain policy, but create a
new GPO for it and put it at the top of the list and make your changes there. That
way if you have a problem, you can always unlink it to get back to default setup and
always make backups before configuration changes of at least the System State. For
security options, you may want to create OU's for your computers and configure those
settings at that level moving the target computers into the OU. You can "block
inheritance" on the domain controller container, but it can cause problems with at
least changes to password policy changes as described in the KB link below, so I
would try to avoid that or at least keep it in mind if things do not seem to work
right. The second link is about problems that can occur with various changes to
security settings depending on network makeup. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659