Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
All security policies are computer-based policies. Account policies are defined on computers, yet they affect how user accounts can interact with the computer or domain. Account policies contain three subsets:
For domain accounts, the account policy must be defined in the Default Domain Policy Group Policy object (GPO) or in a new GPO that is linked to the root of the domain and given precedence over the Default Domain Policy GPO, which is enforced by the domain controllers that make up the domain. If more than one GPO containing account policy settings is linked at the domain level, the domain's account policy consists of the cumulative policy settings from all the domain-linked GPOs.
A domain controller always obtains the account policy from a GPO linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if a different account policy is applied to the organizational unit (OU) that contains the domain controller. By default, workstations and servers joined to a domain (such as member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be differentiated from the domain account policy by defining an account policy for the OU that contains the member computers.
Modifying the Default Domain Policy is not recommended. If you need to set some account policy that differs from that in the Default Domain Policy GPO, you can create a new GPO and link to the root of domain, set the policy you want to use, and assign it higher precedence than Default Domain Policy GPO.
For more information, see Account and local policies.