Re: Default Domain Controllers Policy

Hi,

What OS are you using? If you are Using Windows 2003 Server than download
the Group Policy Management Console.

It has this AMAZING little feature at the bottom which basically shows you
all the settings that are applying to a user or a computer. It runs a
simulation and then shows you all the settings.

Now, the ONLY way that the Default Domain Controllers Policy would be
appling to the Computers is if the Computer OU was inside the Default Domain
Controllers OU Or if the Default Domain Controllers policy was linked to the
Computers OU. You can find out this simply by creating a "new" OU for
computers and moving all the computers into it.

Why are you trying to change Local Settings? Local Settings are always
overridden by Group Policies starting with the Default Domain Policy and then
the Group Policies of the OU's. I would leave the Local Settings alone. It is
far better to just create OU's and Group Policies for computers and set any
settings you need there.

This also stops any hugh problems caused by Local Policies.

Cheers,
Lara

"Steven Hutchinson" wrote:

Hi Mark,

Thanks for confirming this. Can you suggest any reason why this policy is
being applied to all computers in our domain and possibly how I can go about
preventing this?


"Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%231hqdLomGHA.4164@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

Steven Hutchinson schrieb:
It would seem that our Default Domain Controllers Policy is being applied
to
all computers in our domain.

No good idea.

As far as I know this should not be the case and should only be applied
to
Domain Controllers.

Absolutly right.

Can anyone confirm this to me as it is causing a few problems?

For sure. Because a domain controller is much more restrictiv configured
like "logon locally" and other permissions it is not recommended to
apply the DefDomConPol to the clients, becaus ea "user" needs to work
on a client.
If you want to allow a user logon on that client and you edit the
DefDomConPol, then he is able to logon locally on a DC aswell.
In most cases you don´t wnat that.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.



.

Relevant Pages

  • Group Policies have stopped working.
    ... We've had Group Policies running for well over a year here with little ... Group Policy was applied from: ... My AD is split geographically with a US container with seperate Users ... There is also a EU container with seperate Users and Computers ...
    (microsoft.public.win2000.group_policy)
  • Re: Default Domain Controllers Policy
    ... I was only looking to change the Local Security Policy on servers that have ... appling to the Computers is if the Computer OU was inside the Default ... Why are you trying to change Local Settings? ...
    (microsoft.public.win2000.group_policy)
  • Re: Different Group Policies for Different Classes of Machines?
    ... You don't need different domains to use multiple Group Policies, ... easy to target specific groups of computers with certain policies. ... three main ways to target a policy at a particular group of computers: ...
    (microsoft.public.win2000.group_policy)
  • Re: Machine policy when user logged onto local machine
    ... in an OU that has an overriding policy. ... than local settings then policies from the domain are propagating assuming ... immediately in client computers. ... Group policies not propagating can be a result of physical network ...
    (microsoft.public.win2000.security)
  • Re: GPOs cause services to fail
    ... Sounds like you have done some good troubleshooting, but if you can't remove the policy, make the problem go away and then return the policy and have the problem return, then it can't be the policy. ... We have a number of group policies applied to the OUs that these computers are in. ... If we put the computers into the blocked OU and then add the group policies one by one, the problem never comes back, even when the computers receive all the group policies. ...
    (microsoft.public.windows.group_policy)