Default Domain Controller GPO Question

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Here is my situation. The "Default Domain Controller Policy" for my
production AD has been modified numerous times (just the user rights
section). We are going to be moving to native mode from mixed mode shortly.
We would like to link a newly created DC Security policy.inf file via a GPO
to the Domain Controllers Container.

For now, we want to keep the existing settins for the default DC GPO
(because we're not sure what will happen if we delete it because previous
admins added numerous users/groups to certain user rights policies). How
should we go about linking the newly created .inf? Do we simply "add" a GPO
and precede it before the Default DC one? What happens when some of the
user rights management settings conflict between the two as I know they
will? Which one will take affect? or will both?

Is it bad to have two of them?

Please advise
3 answers Last reply
More about default domain controller question
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    The best solution would be to sort out what you really need in the existing
    DC policy, rather than hoping that the new one doesn't screw up something.
    But, to answer your question, the best way would be to link a new GPO to the
    DC OU and import your security template. In terms of conflicting settings,
    it depends upon which order the GPOs are linked--the higher GPO in the list
    will process last and thus any policy set by the GPO lower in the list will
    be overwritten by a conflicting setting on the GPO higher in the list. Hope
    that helps.

    --
    Darren Mar-Elia
    MS-MVP-Windows Management
    http://www.gpoguy.com


    "adfreak" <rtivnan@comcast.net> wrote in message
    news:uui29J6XEHA.2408@tk2msftngp13.phx.gbl...
    > Here is my situation. The "Default Domain Controller Policy" for my
    > production AD has been modified numerous times (just the user rights
    > section). We are going to be moving to native mode from mixed mode
    shortly.
    > We would like to link a newly created DC Security policy.inf file via a
    GPO
    > to the Domain Controllers Container.
    >
    > For now, we want to keep the existing settins for the default DC GPO
    > (because we're not sure what will happen if we delete it because previous
    > admins added numerous users/groups to certain user rights policies). How
    > should we go about linking the newly created .inf? Do we simply "add" a
    GPO
    > and precede it before the Default DC one? What happens when some of the
    > user rights management settings conflict between the two as I know they
    > will? Which one will take affect? or will both?
    >
    > Is it bad to have two of them?
    >
    > Please advise
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Excellent. When you say "thus, any policy set by the GPO lower in the list
    will be overwritten by a conflicting setting on the GPO higher in the list",
    by any chance do you have a URL you can link me to which states that as
    proof? I need to put some documentation together.

    Thanks again!


    "Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
    news:%23NWEpQ6XEHA.4008@TK2MSFTNGP09.phx.gbl...
    > The best solution would be to sort out what you really need in the
    existing
    > DC policy, rather than hoping that the new one doesn't screw up something.
    > But, to answer your question, the best way would be to link a new GPO to
    the
    > DC OU and import your security template. In terms of conflicting settings,
    > it depends upon which order the GPOs are linked--the higher GPO in the
    list
    > will process last and thus any policy set by the GPO lower in the list
    will
    > be overwritten by a conflicting setting on the GPO higher in the list.
    Hope
    > that helps.
    >
    > --
    > Darren Mar-Elia
    > MS-MVP-Windows Management
    > http://www.gpoguy.com
    >
    >
    >
    > "adfreak" <rtivnan@comcast.net> wrote in message
    > news:uui29J6XEHA.2408@tk2msftngp13.phx.gbl...
    > > Here is my situation. The "Default Domain Controller Policy" for my
    > > production AD has been modified numerous times (just the user rights
    > > section). We are going to be moving to native mode from mixed mode
    > shortly.
    > > We would like to link a newly created DC Security policy.inf file via a
    > GPO
    > > to the Domain Controllers Container.
    > >
    > > For now, we want to keep the existing settins for the default DC GPO
    > > (because we're not sure what will happen if we delete it because
    previous
    > > admins added numerous users/groups to certain user rights policies).
    How
    > > should we go about linking the newly created .inf? Do we simply "add" a
    > GPO
    > > and precede it before the Default DC one? What happens when some of the
    > > user rights management settings conflict between the two as I know they
    > > will? Which one will take affect? or will both?
    > >
    > > Is it bad to have two of them?
    > >
    > > Please advise
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    You can add a new GPO to the domain controller container and configure it to
    your needs. The GPO at the top on the list is king of the hill when it comes to
    defined settings though as it will override any like defined setting in the
    GPO's below it which in your case would be the default domain controller GPO
    that applies Domain Controller Security Policy. You are wise in not deleting the
    default GPO. The links below may be helpful on configuring user rights and other
    security settings. --- Steve

    http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/appxb.mspx
    http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx


    "adfreak" <rtivnan@comcast.net> wrote in message
    news:uui29J6XEHA.2408@tk2msftngp13.phx.gbl...
    > Here is my situation. The "Default Domain Controller Policy" for my
    > production AD has been modified numerous times (just the user rights
    > section). We are going to be moving to native mode from mixed mode shortly.
    > We would like to link a newly created DC Security policy.inf file via a GPO
    > to the Domain Controllers Container.
    >
    > For now, we want to keep the existing settins for the default DC GPO
    > (because we're not sure what will happen if we delete it because previous
    > admins added numerous users/groups to certain user rights policies). How
    > should we go about linking the newly created .inf? Do we simply "add" a GPO
    > and precede it before the Default DC one? What happens when some of the
    > user rights management settings conflict between the two as I know they
    > will? Which one will take affect? or will both?
    >
    > Is it bad to have two of them?
    >
    > Please advise
    >
    >
Ask a new question

Read More

Default Policy Domain Controller Windows