I need to apply group policy to several computers in a Windows Server 2008 domain. After running gpmc.msc, we can see Default Domain Policy and Default Domain Controller Policy
- Can you tell me their difference?
- Which policy is effective?
technet say this but I don't understand it:
Default Domain Policy is linked to the domain object and affects all
users and computers in the domain
(including computers that are domain
controllers) through policy
inheritance.Default Domain Controllers Policy is linked to the Domain Controllers
OU. This policy generally affects only
domain controllers, because by
default, computer accounts for domain
controllers are kept in the Domain
Controllers OU.
Best Answer
It sounds like you'd do well to get some background information on Group Policy before you begin making changes. Some background information on Active Directory would probably help you, too.
I'd recommend strongly against modifying the "Default..." Group Policy Objects (GPOs) that are created in Active Directory by default. You can create your own GPOs that contain your custom settings. By leaving these settings in their default state you create a situation you can disable all your custom GPOs and return everything into a default state.
To answer your specific queries (at the risk of repeating what TechNet says):
The "Default Domain Policy" is a GPO created during the creation of your Active Directory domain that contains settings that, by default, apply to all computer and user accounts in the domain. (Using the "Block Inheritance" functionality on individual OUs allows this behavior to be overridden, but that's more of an advanced topic.) The main default setting that comes out of this GPO is the domain password policy. This setting controls the parameters associated with user account lock-out and user passwords (length, complexity, expiration, re-use).
The "Default Domain Controllers Policy" is another GPO created during the creation of your Active Directory domain. It contains settings that are only applied to Domain Controller (DC) computers (that is, those computers that host copies of the Active Directory database and perform authentication functions). The main default settings that come out of this GPO in Windows 2003 and newer Windows versions are to limit the DCs to "talking to" clients that support digitally-signed Server Message Block (SMB) packets. The purpose of this setting is to increase security.
The specific details of how Group Policy is applied by users or computers is somewhat involved. In general, though, Group Policy objects are applied in the order they are encountered starting at the top of the domain and proceeding down through OUs to the computer object. The easiest way that I can relate to think about "precedence" or "conflicts" between GPOs is to imagine that all the settings are applied as each GPO is encountered, with the "effective" setting being the last setting applied to a given item.
An example: A GPO is linked at the domain sets the computer's "Offline Files" feature to "Enabled". Another GPO is linked at the OU where the computer object is located that sets the "Offline Files" feature to disabled. Because the last GPO to be applied would be the GPO linked to the OU where the computer object is located is applied last the "effective setting" for the computer would be to leave "Offline Files" in the disabled state.
The "Block Inheritance" and "No Override" functionality add complexity and powerful functionality. WMI filtering, security group filtering, and loopback policy processing add a lot of additional complexity, too, and are worth learning about. I wouldn't recommend learning about any of these features, though, until you have a good background on the general behavior of the product.