Domain Controller Security Policy vs. Domain Security Policy?

H

HG

Which one of these two takes precedents over the other one.

If I want to setup the Audit Policies for my domain what do I need to do?
This is the scenario.

I have 5 domain controllers 1 local and 4 at different locations (1 at each
location)

I want to setup Account Logon Events (S,F) for my global domain, so I can
have a ticket of every USER loggin on and off my environment on a daily
basis. However, I do not want to receive LOGON ON/OFF from Anonymous or
Machine Names.

Now, If I go to my "APPLICATIONSRV" which is the local domain controller, I
can go to Start>Programs>Administrativee Tools>Active Directory Users and
Computers>Highlight the Directory>Righ Click>Properties>Group Policy
tab>Click Edit button>Group Policy window>Default Domain Policy
[servername.childdomain.rootdomain.com] Policy>Computer
Configuration>Windows Settings>Security Settings>Local Policies>Audit
Policies> The Success and Failure audit looks the same as the one under
Start>Programs>Administrativee Tools>Domain Security Policy.

I think, correct me if I'm wrong that Domain Security Policy and the Group
Policy window are the same.
So, my question is: What is the difference between Domain Security Policy
and Domain Controller Security Policy?

Thanks
GX
 
S

Steven Umbach

Domain Controller Security Policy applies only to the domain controllers
container while Domain Security Policy applies to the whole domain. However GP
is applied in this order local>site>domain>OU where a setting defined at the OU
level will override a setting defined at the domain level, etc. Therefore any
settings defined in the Domain Controller Security Policy will override any
identical settings defined at the domain level. There is on notable exception in
that password/account policy for domain accounts can only be defined at the
domain level. To enable auditing for just domain controllers, do it in the
Domain Controller Security Policy. To do it for other domain computers, do it at
the local, domain, or OU level based on your needs. Also when you enable
auditing it is an all or nothing deal. You will get the unwanted events along
with the ones you are looking for, though you can use filter view or programs
like Event Comb to scan multiple computers for certain events. Auditing of
account logon will not show user logoffs - you need to audit logon events for
that. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain Security Policy 2
Domain vs Domain Controller Security Policy 2
Object Access Audit Policy for a Domain 4
domain security policy 6
Secedit and Domain Controller Security Policy 2
Security Policy Is not opening. 9
Local Setting vs Effective Setting 2
Question on Local Security Policy 4

Top