Group policy - another newbie question

  • Thread starter Thread starter Anna Colton
  • Start date Start date
A

Anna Colton

I've found at least four different ways to start a policy editor. Can anyone
explain the difference?

(1) in Control Panel, we have "Domain Controller Security Policy";
(2) also in Control Panel, we have "Domain Secury Policy";
(3) Documents say type "gpedit.msc" in a Command Prompt.
(4) Win2k3 online help has this link to start what it call "Local Security
Settings":
ms-its:C:\WINDOWS\Help\audit.chm::/EXEC=,secpol.msc CHM-UAShared.chm
FILE=alt_url_windows_component.htm. This is I think the same as type
"secpol.msc" in Command Prompt.

Thanks!!
 
Hi Anna

1. Domain Controller Security Policy is exactly that. The security settings
which apply to the Domain Controllers. This is a subset of the settings
(just the security settings) you see if you open Active Directory Users and
Computers, select the properties of the Domain Controllers Organisational
Unit, navigate to the Group Policy tab and edit the Default Domain
Controller Policy.

2. Domain Security Policy is the set of security settings which apply to the
entire Domain (not just the DC's). Like the Domain Controller Security
Policy, this is a subset of the policy settings found in the Default Domain
Policy. This links to the domain in Active Directory Users and Computers.

3. GPEdit.msc edits the local policy. This is stored locally on the machine
and is not pushed down by Active Directory. It's best not to mess around
with this unless you're in a workgroup environment and even then it has
limitations.

4. Local Security settings is the security subset of what you see in
GPEdit.msc. Again, best to just leave it alone and manage things from AD.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Cool! Thanks Mark!

Mark Renoden said:
Hi Anna

1. Domain Controller Security Policy is exactly that. The security
settings which apply to the Domain Controllers. This is a subset of the
settings (just the security settings) you see if you open Active Directory
Users and Computers, select the properties of the Domain Controllers
Organisational Unit, navigate to the Group Policy tab and edit the Default
Domain Controller Policy.

2. Domain Security Policy is the set of security settings which apply to
the entire Domain (not just the DC's). Like the Domain Controller
Security Policy, this is a subset of the policy settings found in the
Default Domain Policy. This links to the domain in Active Directory Users
and Computers.

3. GPEdit.msc edits the local policy. This is stored locally on the
machine and is not pushed down by Active Directory. It's best not to mess
around with this unless you're in a workgroup environment and even then it
has limitations.

4. Local Security settings is the security subset of what you see in
GPEdit.msc. Again, best to just leave it alone and manage things from AD.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

Anna Colton said:
I've found at least four different ways to start a policy editor. Can
anyone explain the difference?

(1) in Control Panel, we have "Domain Controller Security Policy";
(2) also in Control Panel, we have "Domain Secury Policy";
(3) Documents say type "gpedit.msc" in a Command Prompt.
(4) Win2k3 online help has this link to start what it call "Local
Security Settings":
ms-its:C:\WINDOWS\Help\audit.chm::/EXEC=,secpol.msc CHM-UAShared.chm
FILE=alt_url_windows_component.htm. This is I think the same as type
"secpol.msc" in Command Prompt.

Thanks!!
Click to expand...
Click to expand...
 
Back
Top