N
Norman
Hi,
Is the Local Security Policy on a DC same as the Default domain controller policy ?
Norman
Is the Local Security Policy on a DC same as the Default domain controller policy ?
Norman
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Is the Local Security Policy on a DC same as Default domain controller policy ?
K
Kevin D. Goodknecht Sr. [MVP]
In
The local security policy is the policy that is effect after the Default
domain controller policy is passed to the DC through the GPO on the Domain
Controller Organizational Unit.
Norman said:Hi,
Is the Local Security Policy on a DC same as the Default
domain controller policy ?
Norman
The local security policy is the policy that is effect after the Default
domain controller policy is passed to the DC through the GPO on the Domain
Controller Organizational Unit.
H
Herb Martin
Kevin D. Goodknecht Sr. said:
No.
They are unrelated.
The local security policy is the policy that is effect after the Default
domain controller policy is passed to the DC through the GPO on the Domain
Controller Organizational Unit.
It is a bit more complicated than this.
A DC like any other machine can have a local group policy
object (LGPO) which is a separate policy object similar to
those from the domain, but configured explicitly on a particular
machine.
Some methods of viewing these settings may show both
the "Local settings" and the "EFFECTIVE settings." The
latter is the result after the Local and Domain policies
have all been applied.
N
Norman
Herb,
So does it means that if I want to enforce a specific setting on that
specific DC ONLY, I can make the setting on the local security policy on it
( this is exactly what I would like to do ) ?
Norman
So does it means that if I want to enforce a specific setting on that
specific DC ONLY, I can make the setting on the local security policy on it
( this is exactly what I would like to do ) ?
Norman
R
Ryan Hanisco
Yes this is exactly what it does.
--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL
--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL
H
Herb Martin
Norman said:Herb,
So does it means that if I want to enforce a specific setting on that
specific DC ONLY, I can make the setting on the local security policy on it
( this is exactly what I would like to do ) ?
As long as no later (Site, Domain, OU) policy
overrides it.
The normal case is that the policies are applied
in this order: Local, Site, Domain, OU...ou...
with the latter having precedence.
J
Joe Richards [MVP]
It depends on the policy and what it actually changes. If it say changes
something that replicates through AD like a group membership or a password
policy or something like that, it will cause an issue in the system as the
policy keeps jumpng back and forth.
What specifically are you trying to do?
joe
something that replicates through AD like a group membership or a password
policy or something like that, it will cause an issue in the system as the
policy keeps jumpng back and forth.
What specifically are you trying to do?
joe
H
Herb Martin
Joe Richards said:It depends on the policy and what it actually changes. If it say changes
something that replicates through AD like a group membership or a password
policy or something like that, it will cause an issue in the system as the
policy keeps jumpng back and forth.
Will a local password policy on a DC have
any effect on the Domain password policy?
What specifically are you trying to do?
Good question!
K
Kevin D. Goodknecht Sr. [MVP]
In
You can, so long as the default domain or domain controller security policy
is set to "not defined" on the particular policy setting. The GPO policy
will override the local policy if the setting is either enabled or disabled
in the GPO.
Norman said:Herb,
So does it means that if I want to enforce a specific
setting on that specific DC ONLY, I can make the setting
on the local security policy on it ( this is exactly what
I would like to do ) ?
You can, so long as the default domain or domain controller security policy
is set to "not defined" on the particular policy setting. The GPO policy
will override the local policy if the setting is either enabled or disabled
in the GPO.
N
Norman
I need to disable the drive signing on that particular DC only so that other
team can install ( push out a System BIOS update ) with "silent run" every
3 months.
Norman
team can install ( push out a System BIOS update ) with "silent run" every
3 months.
Norman
J
Joe Richards [MVP]
Will a local password policy on a DC have
Yes it will cause it to loop back and forth from what that one DC has with with
all the rest of the DCs have. It is very confusing. The same thing can happen
when you make a domain policy change and it doesn't make it to all DCs.
joe
any effect on the Domain password policy?
Yes it will cause it to loop back and forth from what that one DC has with with
all the rest of the DCs have. It is very confusing. The same thing can happen
when you make a domain policy change and it doesn't make it to all DCs.
joe
J
Joe Richards [MVP]
You should be able to do that with the local security policy on that DC. You can
pull up secpol.msc on that one machine.
However, I totally don't recommend giving anyone but domain admins the rights to
do any changes on DCs, anything else is a huge security hole.
joe
pull up secpol.msc on that one machine.
However, I totally don't recommend giving anyone but domain admins the rights to
do any changes on DCs, anything else is a huge security hole.
joe
H
Herb Martin
Yes it will cause it to loop back and forth from what that one DC has with
with
Why wouldn't the domain GPO just override it?
(If not, it seems like a bug.)
with
all the rest of the DCs have. It is very confusing. The same thing can happen
when you make a domain policy change and it doesn't make it to all DCs.
Why wouldn't the domain GPO just override it?
(If not, it seems like a bug.)
J
Joe Richards [MVP]
I apologize, I spoke out of turn.
Through the GUI this is not possible. The only supportable way this can be
screwed up is when the domain policy doesn't properly replicate to all domain
controllers and the policy is out of sync on different domain controllers.
joe
Through the GUI this is not possible. The only supportable way this can be
screwed up is when the domain policy doesn't properly replicate to all domain
controllers and the policy is out of sync on different domain controllers.
joe
H
Herb Martin
Joe Richards said:I apologize, I spoke out of turn.
That's ok, but when you say something it is usually
so reliable that I will tend to believe it without
checking.
Through the GUI this is not possible. The only supportable way this can be
screwed up is when the domain policy doesn't properly replicate to all domain
controllers and the policy is out of sync on different domain controllers.
That makes perfect sense.
J
Joe Richards [MVP]
Ah always doublecheck anything said by anyone, anyone can make a mistake. Or
possibly they just know more than they can talk about publicly and things aren't
as easily duplicated.
possibly they just know more than they can talk about publicly and things aren't
as easily duplicated.
H
Herb Martin
Joe Richards said:Ah always doublecheck anything said by anyone, anyone can make a mistake. Or
possibly they just know more than they can talk about publicly and things aren't
as easily duplicated.
It is uncertain that I believe anything absolutely.
<grin>
I am a scientist at heart.
J
Joe Richards [MVP]
lol