Domain Security Policy

To view and edit a domain-wide policy;

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, click the + next to the domain name to expand the domain folder (if it is not already expanded).


  3. Right-click the domain, and then click Properties.

  4. Click the Group Policy tab, then select Default Domain Policy, and then click Edit.


  5. In the Group Policy window, expand Computer Configuration; navigate to Windows Settings, to Security Settings, and then to Account Policies.

  6. Select Password Policy.

In the results pane, notice that Password Policy, Account Lockout Policy, and Kerberos Policy are configured by default in the domain GPO, and thus apply to all computers within that domain.


  1. Next, navigate to Local Policies.

  2. Click the User Rights Assignment subfolder.

  3. Notice that none of the user rights are defined in the default domain GPO. This does not mean that user rights are not defined for machines in throughout the enterprise, just that these rights are not defined in the default domain GPO. For DCs, the user rights are defined in the default DC GPO.


  4. Close the Group Policy window, close the Properties dialog box, and then close the Active Directory Users and Computers snap-in.

Note: Another method of viewing and modifying the Domain Security Policy is to access the Domain Security Policy GUI from the Administrative Tools Menu.