Default Domain Controller GPO Question

A

adfreak

Here is my situation. The "Default Domain Controller Policy" for my
production AD has been modified numerous times (just the user rights
section). We are going to be moving to native mode from mixed mode shortly.
We would like to link a newly created DC Security policy.inf file via a GPO
to the Domain Controllers Container.

For now, we want to keep the existing settins for the default DC GPO
(because we're not sure what will happen if we delete it because previous
admins added numerous users/groups to certain user rights policies). How
should we go about linking the newly created .inf? Do we simply "add" a GPO
and precede it before the Default DC one? What happens when some of the
user rights management settings conflict between the two as I know they
will? Which one will take affect? or will both?

Is it bad to have two of them?

Please advise
 
D

Darren Mar-Elia

The best solution would be to sort out what you really need in the existing
DC policy, rather than hoping that the new one doesn't screw up something.
But, to answer your question, the best way would be to link a new GPO to the
DC OU and import your security template. In terms of conflicting settings,
it depends upon which order the GPOs are linked--the higher GPO in the list
will process last and thus any policy set by the GPO lower in the list will
be overwritten by a conflicting setting on the GPO higher in the list. Hope
that helps.
 
S

Steven Umbach

You can add a new GPO to the domain controller container and configure it to
your needs. The GPO at the top on the list is king of the hill when it comes to
defined settings though as it will override any like defined setting in the
GPO's below it which in your case would be the default domain controller GPO
that applies Domain Controller Security Policy. You are wise in not deleting the
default GPO. The links below may be helpful on configuring user rights and other
security settings. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/appxb.mspx
http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx
 
A

adfreak

Excellent. When you say "thus, any policy set by the GPO lower in the list
will be overwritten by a conflicting setting on the GPO higher in the list",
by any chance do you have a URL you can link me to which states that as
proof? I need to put some documentation together.

Thanks again!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Default Domain Controller GPO - dcgpofix ! 1
Default Domain GPO LOST 1
New GPO are failing 4
Default Domain Policy GPO 3
Domain Controller GPO 4
Error on Domain Controller 2
Lost control on Default Domain Controller GPO 1
GPO for user not applied 9

Top