Group Policy vs Domain Controller Security Policy

[Tammy Mathews]

We wish to rename the administrator account on our
production servers and Q320053 indicates that you can
create a new group policy from the Active Directory Users
and Computers mmc. Once you have named the new group
policy you click on edit and then Windows Settings\Local
Polices\Security Options and define the Rename
Administrator policy.

However, the very same options are available if I run the
Domain Controller Security Policy mmc. Which one wins? ie
the setting made in the Group Policy mmc or the settings
made in the Domain Controller Security mmc?

 

[ibrahimaz]

Salamo Alakom

Domain Controller GPO for domain Controllers only,

Regarding any other computer objects (Workstations,
Servers),

1. Place your operation servers into OU.
2. Create new group policy to rename the administrator
account.
3. that is all (done)

Ibrahim El-Zawawy

 

[Steven L Umbach]

Polices are applied in the order of local>site>domain>OU. The domain
controller policy is basically an OU policy. The last policy applied is the
effective setting. So if the policy is applied at the domain level and not
the dc level, then the domain policy applies. If it is applied at both
levels, then the dc policy applies. Keep in mind that for domain members,
password/account policy can only be applied at the domain level. Be sure to
view your administrator accounts after the policy is applied. There are two
logon names in a W2K account the upn name [with @domainname] and the more
traditional pre W2K name. It may not change both names. --- Steve