Microsoft Knowledge Base Article 259576 contains the following summary:
Domain controllers pull some security settings only from group policy objects linked to the root of the domain
. Because domain controllers share the same account database for the domain, certain security settings must be set uniformly on all domain controllers
. This ensures that the members of the domain have a consistent experience regardless of which domain controller they use to log on
. Windows 2000 accomplishes this task by allowing only certain setting in the group policy to be applied to domain controllers at the domain level
. This group policy behavior is different for member server and workstations
.
The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container:
• | All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.) | ||||||
• | The following three settings in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options:
|
The following settings are applied to Windows Server 2003-based domain controllers only when the group policy is linked to the domain container. (The settings are located in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options.)
• | Accounts: Administrator account status |
• | Accounts: Guest account status |
• | Accounts: Rename administrator account |
• | Accounts: Rename guest account |
• | Network security: Force logoff when logon hours expire |