Here is my situation. The "Default Domain Controller Policy" for my
production AD has been modified numerous times (just the user rights
section). We are going to be moving to native mode from mixed mode shortly.
We would like to link a newly created DC Security policy.inf file via a GPO
to the Domain Controllers Container.

For now, we want to keep the existing settins for the default DC GPO
(because we're not sure what will happen if we delete it because previous
admins added numerous users/groups to certain user rights policies). How
should we go about linking the newly created .inf? Do we simply "add" a GPO
and precede it before the Default DC one? What happens when some of the
user rights management settings conflict between the two as I know they
will? Which one will take affect? or will both?

Is it bad to have two of them?

Please advise

The best solution would be to sort out what you really need in the existing
DC policy, rather than hoping that the new one doesn't screw up something.
But, to answer your question, the best way would be to link a new GPO to the
DC OU and import your security template. In terms of conflicting settings,
it depends upon which order the GPOs are linked--the higher GPO in the list
will process last and thus any policy set by the GPO lower in the list will
be overwritten by a conflicting setting on the GPO higher in the list. Hope
that helps.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



"adfreak" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Here is my situation. The "Default Domain Controller Policy" for my
> production AD has been modified numerous times (just the user rights
> section). We are going to be moving to native mode from mixed mode
shortly.
> We would like to link a newly created DC Security policy.inf file via a
GPO
> to the Domain Controllers Container.
>
> For now, we want to keep the existing settins for the default DC GPO
> (because we're not sure what will happen if we delete it because previous
> admins added numerous users/groups to certain user rights policies). How
> should we go about linking the newly created .inf? Do we simply "add" a
GPO
> and precede it before the Default DC one? What happens when some of the
> user rights management settings conflict between the two as I know they
> will? Which one will take affect? or will both?
>
> Is it bad to have two of them?
>
> Please advise
>
>

You can add a new GPO to the domain controller container and configure it to
your needs. The GPO at the top on the list is king of the hill when it comes to
defined settings though as it will override any like defined setting in the
GPO's below it which in your case would be the default domain controller GPO
that applies Domain Controller Security Policy. You are wise in not deleting the
default GPO. The links below may be helpful on configuring user rights and other
security settings. --- Steve

http://www.microsoft.com/technet/Sec...khg/appxb.mspx
http://www.microsoft.com/technet/Sec.../05sconfg.mspx


"adfreak" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Here is my situation. The "Default Domain Controller Policy" for my
> production AD has been modified numerous times (just the user rights
> section). We are going to be moving to native mode from mixed mode shortly.
> We would like to link a newly created DC Security policy.inf file via a GPO
> to the Domain Controllers Container.
>
> For now, we want to keep the existing settins for the default DC GPO
> (because we're not sure what will happen if we delete it because previous
> admins added numerous users/groups to certain user rights policies). How
> should we go about linking the newly created .inf? Do we simply "add" a GPO
> and precede it before the Default DC one? What happens when some of the
> user rights management settings conflict between the two as I know they
> will? Which one will take affect? or will both?
>
> Is it bad to have two of them?
>
> Please advise
>
>

Excellent. When you say "thus, any policy set by the GPO lower in the list
will be overwritten by a conflicting setting on the GPO higher in the list",
by any chance do you have a URL you can link me to which states that as
proof? I need to put some documentation together.

Thanks again!


"Darren Mar-Elia" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> The best solution would be to sort out what you really need in the
existing
> DC policy, rather than hoping that the new one doesn't screw up something.
> But, to answer your question, the best way would be to link a new GPO to
the
> DC OU and import your security template. In terms of conflicting settings,
> it depends upon which order the GPOs are linked--the higher GPO in the
list
> will process last and thus any policy set by the GPO lower in the list
will
> be overwritten by a conflicting setting on the GPO higher in the list.
Hope
> that helps.
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Management
> http://www.gpoguy.com
>
>
>
> "adfreak" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Here is my situation. The "Default Domain Controller Policy" for my
> > production AD has been modified numerous times (just the user rights
> > section). We are going to be moving to native mode from mixed mode
> shortly.
> > We would like to link a newly created DC Security policy.inf file via a
> GPO
> > to the Domain Controllers Container.
> >
> > For now, we want to keep the existing settins for the default DC GPO
> > (because we're not sure what will happen if we delete it because
previous
> > admins added numerous users/groups to certain user rights policies).
How
> > should we go about linking the newly created .inf? Do we simply "add" a
> GPO
> > and precede it before the Default DC one? What happens when some of the
> > user rights management settings conflict between the two as I know they
> > will? Which one will take affect? or will both?
> >
> > Is it bad to have two of them?
> >
> > Please advise
> >
> >
>
>