Article ID: 221930 - Last Review: February 24, 2007 - Revision: 2.2

Domain Security Policy in Windows 2000

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q221930

On This Page

Expand all | Collapse all

SUMMARY

In Microsoft Windows NT Server 4.0, the concept of the Domain Security Policy referred to an associated group of items considered critical to the secure configuration of a domain. These included:
  • User Password, or Account Policy to control how passwords are used by user accounts.
  • Audit Policy to control what types of events are recorded in the security log.
  • User Rights are applied to groups or users, and effect the activities permitted on an individual workstation, a member server, or on all domain controllers in a domain.
In Windows 2000, Microsoft has re-configured these components into one consistent hierarchy or tool, the Security Settings snap-in in the Group Policy Editor. This may be useful if you want to know the proper group policy object to change.
Back to the top

MORE INFORMATION

To configure security settings that are intended to span a domain, use the Group Policy Editor snap-in, with it's focus set to the "Default Domain Policy" group policy object (GPO):
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the appropriate domain object, and then click Properties.
  3. Click the Group Policy tab to view currently linked group policy objects.
  4. Click the Default Domain Policy GPO link, and then click Edit.
After you start the Group Policy Editor snap-in, you can gain access to domain security policies from the following node:
Console Root\"Default Domain Policy" Policy\Computer Configuration\Windows Settings\Security Settings
At this point in the hierarchy, the following nodes are available:
Back to the top

Account Policies

  • Password Policy
  • Account Lockout Policy
  • Kerberos Policy
Back to the top

Local Policies

  • Audit Policy
  • User Rights Assignment
  • Security Options
    • Event Log
    • Restricted Groups
    • System Services
    • Registry
    • File System
    • IP Security Policies on Active Directory
    • Public Key Policies
Group Policy is administered through the use of Group Policy Objects, data structures that are attached in a specific hierarchy to selected Active Directory Objects, such as Sites, Domains, or Organizational Units. These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2)Site, (3)Domain, (4)OU, with the later policies being superior to the earlier applied policies.

When a computer is joined to a domain with the Active Directory and Group Policy implemented, a local Group Policy Object is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified.

Local Group Policy Objects are processed first, and then domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, local Group Policy object is applied.
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
Back to the top
Keywords: 
kbinfo kbnetwork KB221930
Back to the top