The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container:
- All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.)
- The following three settings in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options:
- Automatically log off users when logon time expires
- Rename administrator account
- Rename guest account
The following settings are applied to Windows Server 2003-based domain controllers only when the group policy is linked to the domain container. (The settings are located in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options.)
- Accounts: Administrator account status
- Accounts: Guest account status
- Accounts: Rename administrator account
- Accounts: Rename guest account
- Network security: Force logoff when logon hours expire
The process for applying these settings on a domain controller includes:
- The domain controller gathers the list of group policy objects by searching the parent containers of the domain controller's Computer object.
- The domain controller applies the settings listed earlier only if the group policy object is linked to the Domain container.
- If there are multiple group policy objects linked to the Domain container, application of the group policy objects starts with the group policy object at the bottom of the list and ends with the group policy object at the top. This results in the group policy object at the top taking precedence over the others.