Domain Security Policy in Windows 2000
This article was previously published under Q221930
This article has been archived. It is offered "as is" and will no longer be updated.
In Microsoft Windows NT Server 4.0, the concept of the Domain Security Policy referred to an associated group of items considered critical to the secure configuration of a domain. These included:
- User Password, or Account Policy to control how passwords are used by user accounts.
- Audit Policy to control what types of events are recorded in the security log.
- User Rights are applied to groups or users, and effect the activities permitted on an individual workstation, a member server, or on all domain controllers in a domain.
To configure security settings that are intended to span a domain, use the Group Policy Editor snap-in, with it's focus set to the "Default Domain Policy" group policy object (GPO):
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Right-click the appropriate domain object, and then click Properties.
- Click the Group Policy tab to view currently linked group policy objects.
- Click the Default Domain Policy GPO link, and then click Edit.
Console Root\"Default Domain Policy" Policy\Computer Configuration\Windows Settings\Security SettingsAt this point in the hierarchy, the following nodes are available:
- Password Policy
- Account Lockout Policy
- Kerberos Policy
- Audit Policy
- User Rights Assignment
- Security Options
- Event Log
- Restricted Groups
- System Services
- File System
- IP Security Policies on Active Directory
- Public Key Policies
When a computer is joined to a domain with the Active Directory and Group Policy implemented, a local Group Policy Object is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified.
Local Group Policy Objects are processed first, and then domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, local Group Policy object is applied.
Article ID: 221930 - Last Review: 12/05/2015 13:19:59 - Revision: 2.2
Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server
- kbnosurvey kbarchive kbinfo kbnetwork KB221930