How does precedence work for the Default Domain Controller Security Settings vs the Default Domain Security Settings in a Windows 2003 domain.
- Does one override the other? What are the conditions for this? One is defined and the other isn't, if they are both defined, etc…
- If there is a conflicting policy settings for different controllers, does it just depend on which a person authenticates with? For example, if DC A has a Max Password Length of 2 days, and DC B has a max of 5 days. After 4 days will there password not expire unless they authenticate against DC A ?
Best Answer
In 2003 domains password settings are defined domain-wide via the Default Domain policy, and can not be defined on a granular level. If you want granular password settings (by OU for example) you need to move up to 2008 AD.
The order of precedence for GPO is as follows (first is least):
If you define something in the Local policy, and there are no policies in the Site, Domain, or OU that contradict that setting, the Local Policy setting will stick. Otherwise, Site will take precedence, then Domain, and highest on the tree is OU policies.