JSI Tip 2846. Group Policy Application Rules for Domain Controllers.

Microsoft Knowledge Base Article 259576 contains the following summary:

Domain controllers pull some security settings only from group policy objects linked to the root of the domain . Because domain controllers share the same account database for the domain, certain security settings must be set uniformly on all domain controllers . This ensures that the members of the domain have a consistent experience regardless of which domain controller they use to log on . Windows 2000 accomplishes this task by allowing only certain setting in the group policy to be applied to domain controllers at the domain level . This group policy behavior is different for member server and workstations .

The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container:

All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.)
The following three settings in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options:
Automatically log off users when logon time expires
Rename administrator account
Rename guest account


The following settings are applied to Windows Server 2003-based domain controllers only when the group policy is linked to the domain container. (The settings are located in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options.)
Accounts: Administrator account status
Accounts: Guest account status
Accounts: Rename administrator account
Accounts: Rename guest account
Network security: Force logoff when logon hours expire



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish