policy confusement

  • Thread starter Thread starter VW
  • Start date Start date
V

VW

Hi,

I have a testsystem running W2K server that has been promoted to
domaincontroller. I have the option to set local policies, domain controller
policies and domain policies. I do not understand the difference in impact
between local policies and domain controller policies because the local
machine IS the DC. (I read the documentation, and I THOUGHT I understood it,
but alas ...)

Furthermore, if I want to disable regular users to add workstations to the
domain, do I set this in domain policies or in domain controller policies ??
I reckon it should be the first (in domain policies) as this is a setting
that has to be propagated throughout the entire domain. In another thread in
this newsgroup I just read that this setting should be made in DC policies,
so now I am totally confused !!

Can anyone clear this up for me ??

V.
 
The precedence of policies is as follows:

1. Local machine policies are loaded first, and if no other policy
overrides these policies take control for only the local computer.

2. Next, any domain policies will load on all computers in the domain.

3. Finally, any policies in OUs (the Domain Controllers policy is an
example of this) will load on OU members.

The last-loaded policy normally gets precedence - but there are exceptions
to this rule.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Richard G. Harper said:
The precedence of policies is as follows:

1. Local machine policies are loaded first, and if no other policy
overrides these policies take control for only the local computer.
Click to expand...

But in case the local machine is the DC, these policies have the same effect
as domain controller policy, right ?? Do I have to set local policies and
DC policies to the exact same things in order not to mess things up ?
2. Next, any domain policies will load on all computers in the domain.
Click to expand...

Only computers, or also users (e.g. user rights assignments are only
applicable to users) ??
3. Finally, any policies in OUs (the Domain Controllers policy is an
example of this) will load on OU members.
Click to expand...

Are there other examples besides the DC policy ?? The only other thing I
could think of are group policies, but these I understand.

The only OU member in the DC OU is the machine that has run dcpromo. I don't
see the need to add anything else manually into this OU. So it is an OU with
only 1 member, i.e. the DC. This way the policies set in DC policies are
only applicable on the machine itself, and not in the entire domain, right
??
The last-loaded policy normally gets precedence - but there are exceptions
to this rule.
Click to expand...

Could you point me to documentation concerning these exceptions ??

Also, what is the time it takes for policies to become "active" ?? Sometimes
I change a policy, but it does not seem to take effect right away. I do
perform the secedit command, but even then, I sometimes have to wait quite a
while and reboot the system to activate the policies.

thx
--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
Click to expand...
<SNIP>
 
1. All three sets of GPOs get applied to a domain controller, in the order
I listed them. The local GPO exists on every domain member (Windows 2000
and up) and is applied when the computer starts. When the computer logs
into the domain the default domain policy is applied next (unless it is
disabled). Then any OU policies that may apply are loaded after the default
domain policy is loaded.

So, keeping this in mind, if you have settings that must apply to the DCs
and must not be overridden by any other settings, they belong in the DC OU.

2. There are two components to every GPO - Computer settings and User
settings. Both are always applied in every GPO applied unless specifically
overridden and told not to be applied.

3. The only OU that exists by default on AD is the DC OU. Any further OUs
will be created by you.

For more information on GPO, OUs and policies I would strongly suggest
spending some time at http://msdn.microsoft.com/ and
http://www.microsoft.com/technet where you can study up on the subject.
Check into the many recorded Webcasts - in fact, last week was "Active
Directory Week" with about fifteen to twenty Webcasts on AD, GPO and
policies that can be played back for your enjoyment.


--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


VW said:
Richard G. Harper said:
The precedence of policies is as follows:

1. Local machine policies are loaded first, and if no other policy
overrides these policies take control for only the local computer.
Click to expand...

But in case the local machine is the DC, these policies have the same
effect
as domain controller policy, right ?? Do I have to set local policies and
DC policies to the exact same things in order not to mess things up ?
2. Next, any domain policies will load on all computers in the domain.
Click to expand...

Only computers, or also users (e.g. user rights assignments are only
applicable to users) ??
3. Finally, any policies in OUs (the Domain Controllers policy is an
example of this) will load on OU members.
Click to expand...

Are there other examples besides the DC policy ?? The only other thing I
could think of are group policies, but these I understand.

The only OU member in the DC OU is the machine that has run dcpromo. I
don't
see the need to add anything else manually into this OU. So it is an OU
with
only 1 member, i.e. the DC. This way the policies set in DC policies are
only applicable on the machine itself, and not in the entire domain, right
??
The last-loaded policy normally gets precedence - but there are
exceptions
to this rule.
Click to expand...

Could you point me to documentation concerning these exceptions ??

Also, what is the time it takes for policies to become "active" ??
Sometimes
I change a policy, but it does not seem to take effect right away. I do
perform the secedit command, but even then, I sometimes have to wait quite
a
while and reboot the system to activate the policies.

thx
--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
Click to expand...
<SNIP>
Click to expand...
 
Back
Top