Overview

  • Article

Local Group Policy Objects (LGPOs) are processed first, followed by the domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, the Local Group Policy Object is applied.

Group Policies are administered through the use of Group Policy Objects (GPOs), data structures that are attached in a specific hierarchy to selected Active Directory Objects, such as Sites, Domains, or Organizational Units (OUs). These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2) Site, (3) Domain, (4) OU, with the later policies being superior to the earlier applied policies.

When a computer is joined to a domain with the Active Directory and Group Policy implemented, a LGPO is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified.

Account policies (password, lockout, Kerberos) are defined for the entire domain in the default domain GPO. Local policies (audit, user rights, and security options) for DCs are defined in the default Domain Controllers GPO. For DCs, settings defined in the default DC GPO have higher precedence than settings defined in the default Domain GPO. Thus, if a user privilege (for example, Add workstations to domain) were to be configured in the default Domain GPO, it would have no impact on the DCs in that domain.

Note: The Account Policies security area receives special treatment in how it takes effect on computers in the domain. All DCs in the domain receive their account policies from GPOs configured at the domain node regardless of where the computer object for the DC is. This ensures that consistent account policies are enforced for all domain accounts. All non-DC computers in the domain follow the normal GPO hierarchy for getting policies for the local accounts on those computers. By default, member workstations and servers enforce the policy settings configured in the domain GPO for their local accounts, but if there is another GPO at lower scope that overrides the default settings, then those settings will take effect.

Subsections "Local Security Policy", "Domain Security Policy", and "Domain Controller Security Policy" provide the procedures for accessing the security policy interfaces for the Local Security Policy, the Domain Security Policy, and the Domain Controller Security Policy. Subsections "Account Policies" and "Local Policies" describe how the interfaces are used to set and manage security policies. A list of security policy default settings and Evaluated Configuration required changes are available in Appendices A and E, respectively, of the Windows 2000 Security Configuration Guide.