In Microsoft Windows NT Server 4.0, the concept of the Domain Security Policy referred to an associated group of items considered critical to the secure configuration of a domain. These included:
- User Password, or Account Policy to control how passwords are used by user accounts.
- Audit Policy to control what types of events are recorded in the security log.
- User Rights are applied to groups or users, and effect the activities permitted on an individual workstation, a member server, or on all domain controllers in a domain.
In Windows 2000, Microsoft has re-configured these components into one consistent hierarchy or tool, the Security Settings snap-in in the Group Policy Editor. This may be useful if you want to know the proper group policy object to change.
To configure security settings that are intended to span a domain, use the Group Policy Editor snap-in, with it's focus set to the "Default Domain Policy" group policy object (GPO):
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Right-click the appropriate domain object, and then click Properties.
- Click the Group Policy tab to view currently linked group policy objects.
- Click the Default Domain Policy GPO link, and then click Edit.
After you start the Group Policy Editor snap-in, you can gain access to domain security policies from the following node:
Console Root\"Default Domain Policy" Policy\Computer Configuration\Windows Settings\Security Settings
At this point in the hierarchy, the following nodes are available:
- Password Policy
- Account Lockout Policy
- Kerberos Policy
- Audit Policy
- User Rights Assignment
- Security Options
- Event Log
- Restricted Groups
- System Services
- File System
- IP Security Policies on Active Directory
- Public Key Policies
Group Policy is administered through the use of Group Policy Objects, data structures that are attached in a specific hierarchy to selected Active Directory Objects, such as Sites, Domains, or Organizational Units. These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2)Site, (3)Domain, (4)OU, with the later policies being superior to the earlier applied policies.
When a computer is joined to a domain with the Active Directory and Group Policy implemented, a local Group Policy Object is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified.
Local Group Policy Objects are processed first, and then domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, local Group Policy object is applied.