It would seem that our Default Domain Controllers Policy is being applied to
all computers in our domain.

As far as I know this should not be the case and should only be applied to
Domain Controllers.

Can anyone confirm this to me as it is causing a few problems? I cannot
change any Local Security Policy settings on member servers or client PC's.
RSOP shows that the policy settings are being enforced by the Default Domain
Controllers Security Policy.

Hi,

Steven Hutchinson schrieb:
> It would seem that our Default Domain Controllers Policy is being applied to
> all computers in our domain.

No good idea.

> As far as I know this should not be the case and should only be applied to
> Domain Controllers.

Absolutly right.

> Can anyone confirm this to me as it is causing a few problems?

For sure. Because a domain controller is much more restrictiv configured
like "logon locally" and other permissions it is not recommended to
apply the DefDomConPol to the clients, becaus ea "user" needs to work
on a client.
If you want to allow a user logon on that client and you edit the
DefDomConPol, then he is able to logon locally on a DC aswell.
In most cases you don´t wnat that.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

Hi Mark,

Thanks for confirming this. Can you suggest any reason why this policy is
being applied to all computers in our domain and possibly how I can go about
preventing this?


"Mark Heitbrink [MVP]" <spam-(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
>
> Steven Hutchinson schrieb:
>> It would seem that our Default Domain Controllers Policy is being applied
>> to
>> all computers in our domain.
>
> No good idea.
>
>> As far as I know this should not be the case and should only be applied
>> to
>> Domain Controllers.
>
> Absolutly right.
>
>> Can anyone confirm this to me as it is causing a few problems?
>
> For sure. Because a domain controller is much more restrictiv configured
> like "logon locally" and other permissions it is not recommended to
> apply the DefDomConPol to the clients, becaus ea "user" needs to work
> on a client.
> If you want to allow a user logon on that client and you edit the
> DefDomConPol, then he is able to logon locally on a DC aswell.
> In most cases you don´t wnat that.
>
> Mark
> --
> Mark Heitbrink - MVP Windows Server
> Homepage: www.gruppenrichtlinien.de
> extend GPO: www.desktopstandard.com
> PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

Steven,

Are all computers in your domain in the the Domain Controllers OU?
Or is the original (or another) Default Domain Controllers Policy linked to
an OU that contains all your computers?

Peter

"Steven Hutchinson" <(E-Mail Removed)> wrote in message
news:OGFKe%(E-Mail Removed)...
> It would seem that our Default Domain Controllers Policy is being applied
> to all computers in our domain.
>
> As far as I know this should not be the case and should only be applied to
> Domain Controllers.
>
> Can anyone confirm this to me as it is causing a few problems? I cannot
> change any Local Security Policy settings on member servers or client
> PC's. RSOP shows that the policy settings are being enforced by the
> Default Domain Controllers Security Policy.
>

Hi Peter,

Thanks for your help. I can now see where the problem is. The Default Domain
Controllers Policy is linked to both the Domain Controllers OU and to our
entire domain. I will need to disable the link to our domain. Any idea how
this might have happened?


"Peter Demeyer" <(E-Mail Removed)> wrote in message
news:e7ttiq$m55$(E-Mail Removed)...
> Steven,
>
> Are all computers in your domain in the the Domain Controllers OU?
> Or is the original (or another) Default Domain Controllers Policy linked
> to an OU that contains all your computers?
>
> Peter
>
> "Steven Hutchinson" <(E-Mail Removed)> wrote in message
> news:OGFKe%(E-Mail Removed)...
>> It would seem that our Default Domain Controllers Policy is being applied
>> to all computers in our domain.
>>
>> As far as I know this should not be the case and should only be applied
>> to Domain Controllers.
>>
>> Can anyone confirm this to me as it is causing a few problems? I cannot
>> change any Local Security Policy settings on member servers or client
>> PC's. RSOP shows that the policy settings are being enforced by the
>> Default Domain Controllers Security Policy.
>>
>
>

No, no idea how this might have happened, it didn't happen by itself surely.

"Steven Hutchinson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Peter,
>
> Thanks for your help. I can now see where the problem is. The Default
> Domain Controllers Policy is linked to both the Domain Controllers OU and
> to our entire domain. I will need to disable the link to our domain. Any
> idea how this might have happened?
>
>
> "Peter Demeyer" <(E-Mail Removed)> wrote in message
> news:e7ttiq$m55$(E-Mail Removed)...
>> Steven,
>>
>> Are all computers in your domain in the the Domain Controllers OU?
>> Or is the original (or another) Default Domain Controllers Policy linked
>> to an OU that contains all your computers?
>>
>> Peter
>>
>> "Steven Hutchinson" <(E-Mail Removed)> wrote in message
>> news:OGFKe%(E-Mail Removed)...
>>> It would seem that our Default Domain Controllers Policy is being
>>> applied to all computers in our domain.
>>>
>>> As far as I know this should not be the case and should only be applied
>>> to Domain Controllers.
>>>
>>> Can anyone confirm this to me as it is causing a few problems? I cannot
>>> change any Local Security Policy settings on member servers or client
>>> PC's. RSOP shows that the policy settings are being enforced by the
>>> Default Domain Controllers Security Policy.
>>>
>>
>>
>
>

Hi,

What OS are you using? If you are Using Windows 2003 Server than download
the Group Policy Management Console.

It has this AMAZING little feature at the bottom which basically shows you
all the settings that are applying to a user or a computer. It runs a
simulation and then shows you all the settings.

Now, the ONLY way that the Default Domain Controllers Policy would be
appling to the Computers is if the Computer OU was inside the Default Domain
Controllers OU Or if the Default Domain Controllers policy was linked to the
Computers OU. You can find out this simply by creating a "new" OU for
computers and moving all the computers into it.

Why are you trying to change Local Settings? Local Settings are always
overridden by Group Policies starting with the Default Domain Policy and then
the Group Policies of the OU's. I would leave the Local Settings alone. It is
far better to just create OU's and Group Policies for computers and set any
settings you need there.

This also stops any hugh problems caused by Local Policies.

Cheers,
Lara

"Steven Hutchinson" wrote:

> Hi Mark,
>
> Thanks for confirming this. Can you suggest any reason why this policy is
> being applied to all computers in our domain and possibly how I can go about
> preventing this?
>
>
> "Mark Heitbrink [MVP]" <spam-(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Hi,
> >
> > Steven Hutchinson schrieb:
> >> It would seem that our Default Domain Controllers Policy is being applied
> >> to
> >> all computers in our domain.
> >
> > No good idea.
> >
> >> As far as I know this should not be the case and should only be applied
> >> to
> >> Domain Controllers.
> >
> > Absolutly right.
> >
> >> Can anyone confirm this to me as it is causing a few problems?
> >
> > For sure. Because a domain controller is much more restrictiv configured
> > like "logon locally" and other permissions it is not recommended to
> > apply the DefDomConPol to the clients, becaus ea "user" needs to work
> > on a client.
> > If you want to allow a user logon on that client and you edit the
> > DefDomConPol, then he is able to logon locally on a DC aswell.
> > In most cases you don´t wnat that.
> >
> > Mark
> > --
> > Mark Heitbrink - MVP Windows Server
> > Homepage: www.gruppenrichtlinien.de
> > extend GPO: www.desktopstandard.com
> > PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.
>
>
>

Hi,

Steven Hutchinson schrieb:
> [...] Any idea how this might have happened?

It only can be done manually. In most cases it happens if you
work with the GPMC and "Drag+Drop" the policy with the mouse.
Happens in Filesystem etc. ;-)

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

Hi Lara,

I was only looking to change the Local Security Policy on servers that have
applications installed that require specific accounts to be granted rights
only on that server. In other circumstances, I have created an OU and GPO
for groups of member servers such as Citrix servers and defined much more
detailed policies.

Steven

"lforbes" <(E-Mail Removed)> wrote in message
news:52A63BA2-ABD4-479A-BEB8-(E-Mail Removed)...
> Hi,
>
> What OS are you using? If you are Using Windows 2003 Server than download
> the Group Policy Management Console.
>
> It has this AMAZING little feature at the bottom which basically shows you
> all the settings that are applying to a user or a computer. It runs a
> simulation and then shows you all the settings.
>
> Now, the ONLY way that the Default Domain Controllers Policy would be
> appling to the Computers is if the Computer OU was inside the Default
> Domain
> Controllers OU Or if the Default Domain Controllers policy was linked to
> the
> Computers OU. You can find out this simply by creating a "new" OU for
> computers and moving all the computers into it.
>
> Why are you trying to change Local Settings? Local Settings are always
> overridden by Group Policies starting with the Default Domain Policy and
> then
> the Group Policies of the OU's. I would leave the Local Settings alone. It
> is
> far better to just create OU's and Group Policies for computers and set
> any
> settings you need there.
>
> This also stops any hugh problems caused by Local Policies.
>
> Cheers,
> Lara
>
> "Steven Hutchinson" wrote:
>
>> Hi Mark,
>>
>> Thanks for confirming this. Can you suggest any reason why this policy is
>> being applied to all computers in our domain and possibly how I can go
>> about
>> preventing this?
>>
>>
>> "Mark Heitbrink [MVP]" <spam-(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>> > Hi,
>> >
>> > Steven Hutchinson schrieb:
>> >> It would seem that our Default Domain Controllers Policy is being
>> >> applied
>> >> to
>> >> all computers in our domain.
>> >
>> > No good idea.
>> >
>> >> As far as I know this should not be the case and should only be
>> >> applied
>> >> to
>> >> Domain Controllers.
>> >
>> > Absolutly right.
>> >
>> >> Can anyone confirm this to me as it is causing a few problems?
>> >
>> > For sure. Because a domain controller is much more restrictiv
>> > configured
>> > like "logon locally" and other permissions it is not recommended to
>> > apply the DefDomConPol to the clients, becaus ea "user" needs to work
>> > on a client.
>> > If you want to allow a user logon on that client and you edit the
>> > DefDomConPol, then he is able to logon locally on a DC aswell.
>> > In most cases you don´t wnat that.
>> >
>> > Mark
>> > --
>> > Mark Heitbrink - MVP Windows Server
>> > Homepage: www.gruppenrichtlinien.de
>> > extend GPO: www.desktopstandard.com
>> > PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.
>>
>>
>>