Domain Security Policy in Windows 2000

Document directory

• Account Policy
• Local Policy
• The information in this article applies:

Applicable

Summary

In Microsoft Windows NT Server 4.0, the concept "Domain Security Policy" refers to a group of associated items that are critical to the security configuration of the domain. They include:

• The user password, or the account policy that controls how the user account uses the password.
• Controls audit policies for which event types should be recorded in security logs.
• User Permissions are applied to groups or users and affect the activities allowed on a single workstation, member server, or all domain controllers in the domain.

In Windows 2000, Microsoft has reconfigured these components into a consistent hierarchy or tool, that is, the security measure settings snap-in the Group Policy Editor. This is useful if you want to know the correct group policy you want to change.

More information

To configure cross-domain security settings, use the "Group Policy Editor" snap-in, with the center set as the "Default Domain Policy" Group Policy object (GPO ):

1. ClickStart, PointingProgram, PointingManagement toolsAnd then clickActive Directory users and computers.
2. Right-click the corresponding domain object, and then clickAttribute.
3. ClickGroup PolicyTab to view the Group Policy objects of the current link.
4. ClickDefault Domain PolicyClick "edit ".

After you start the Group Policy Editor snap-in, you can access the domain security policy from the following nodes:

Console Root Node \ "Default Domain Policy" \ Computer Configuration \ Windows Settings \ Security Settings

At this point in the hierarchy, you can obtain the following nodes:

Account Policy

• Password Policy
• Account lock Policy
• Kerberos Policy

Local Policy

• Audit Policy
• User Rights Assignment
• Security Options
  • Event Log
  • Restricted Group
  • System Service
  • Registry
  • File System
  • IP Security Policy on Active Directory
  • Public Key Policy

"Group Policy" is managed by using "Group Policy object, A group policy object is a data structure attached to the selected Active Directory object (such as a site, domain, or organization unit) in the specified hierarchy. Once created, these GPO will be applied in the following standard order: lsdou, which indicates (1) local, (2) site, (3) domain, (4) organization unit, the following policies are higher than those applied previously.

If the computer is added to a domain that implements active directory and group policies, a local group policy object is processed. Note: even if the "Blocking Policy inheritance" option is specified, the Policy Object Policy of the Local Group Policy will be processed.

First, process the Local Group Policy object, and then process the Domain Policy. If the computer is added to a domain and conflicts with the Local Computer Policy, the Domain Policy wins. However, if the computer no longer belongs to a domain, the Local Group Policy object will be applied.

The information in this article applies:

• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 datacenter Server

Latest updates:	(3.0)
Keywords:	Kbinfo kbnetwork kbtool kb221930