Creating a New GPO on the Domain Controllers OU and Changing Its Precedence

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

By performing this procedure, you:

• Create a new GPO and add it to the list of Group Policy objects that are linked to the Domain Controllers OU.

• Move the new GPO to a position in the list that is above the Default Domain Controllers GPO, to ensure that its policy settings take precedence over the Default Domain Controllers GPO settings.

Requirements

• Credentials: Domain Admins

• Tools: Active Directory Users and Computers

To create a new GPO on the Domain Controllers OU and increase its precedence

1. Log on with Domain Admins credentials, and then open Active Directory Users and Computers.

2. In the console tree, right-click Domain Controllers, and then click Properties.

3. On the Group Policy tab, click New.

4. In the Group Policy Object Links box, type a name for the new GPO, and then click Edit.

5. In the policy tree under Computer Configuration, double-click Windows Settings, and then double-click Security Settings.

6. Double-click the set of policy settings that you want to define for the new GPO: Local Policies or Event Log.

7. Click the policy whose settings you want to add to the GPO.

8. In the details pane, double-click a setting, type or select values, and then click OK.

9. When you have defined all the settings that you want for the new GPO, close the Group Policy Object Editor window.

10. To move the new GPO to a position above the Default Domain Controllers Policy GPO, on the Group Policy tab, click Up, and then click Close.

11. Restart the computer, or run Secedit /refreshpolicy machine_policy to update the Group Policy settings for the Domain Controllers OU.