Domain Controller Security Policy

The previous subsection reviewed the domain policy configured by default for all new domains. This subsection reviews the default DC policy, which specifies security settings for all machines in the DC OU. By default, Windows 2000 DC computers are added to the DC OU.

In this subsection, the Group Policy snap-in is demonstrated rather than the Active Directory Users and Computers snap-in as the path to the default DC GPO.

To load the Group Policy MMC snap-in:

  1. Click Start, click Run, and in the text box, type mmc /s and then click OK.

  2. From the Console menu, select Add/Remove Snap-in, and click the Add button.

  3. From the Available Standalone Snap-in list, select Group Policy, and click the Add button.


  4. In the Select Group Policy Object dialog box, click the Browse button.

The default GPO selected when the group policy snap-in is added is the one for the local computer. Double-click the GPO for the DC OU as shown in below.


Note that the default domain policy (reviewed in the previous subsection) is also listed here, as well as a folder containing Group Policy objects for the DC OU.

  1. In the Browse for a Group Policy Object dialog box, double-click the folder containing the GPOs associated with the DC OU.

  2. Select the Default Domain Controllers Policy, and click OK.

  3. In the Select Group Policy Object dialog box, click Finish.

  4. In the Add Standalone Snap-in dialog box, click Close.

  5. In the Add/Remove Snap-in dialog box, click OK.

To review security policies in the default DC GPO

  1. In the Default Domain Controllers Policy console, expand Computer Configuration; navigate to Windows Settings, then to Security Settings, and then to Account Policies.

  2. Select Password Policy.

    In the results pane, notice that a Password Policy is not defined in the default DC GPO, because password policy is defined for the entire domain in the default domain GPO.


  3. In the Console, navigate to Local Policies, and select User Rights Assignments.

    In the results pane, note that user rights are configured in the default DC GPO. As seen in the previous subsection, user rights are not defined in the default domain GPO.