Domain Security Policy in Windows 2000

ID: Q221930


The information in this article applies to:
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server


SUMMARY

In Microsoft Windows NT Server 4.0, the concept of the Domain Security Policy referred to an associated group of items considered critical to the secure configuration of a domain. These included:

  • User Password, or Account Policy to control how passwords are used by user accounts.


  • Audit Policy to control what types of events are recorded in the security log.


  • User Rights are applied to groups or users, and effect the activities permitted on an individual workstation, a member server, or on all domain controllers in a domain.


In Windows 2000, Microsoft has re-configured these components into one consistent hierarchy or tool, the Security Settings snap-in in the Group Policy Editor. This may be useful if you want to know the proper group policy object to change.


MORE INFORMATION

To configure security settings that are intended to span a domain, use the Group Policy Editor snap-in, with it's focus set to the "Default Domain Policy" group policy object (GPO):

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.


  2. Right-click the appropriate domain object, and then click Properties.


  3. Click the Group Policy tab to view currently linked group policy objects.


  4. Click the Default Domain Policy GPO link, and then click Edit.


After you start the Group Policy Editor snap-in, you can gain access to domain security policies from the following node:
Console Root\"Default Domain Policy" Policy\Computer Configuration\Windows Settings\Security Settings
At this point in the hierarchy, the following nodes are available:

Account Policies

  • Password Policy


  • Account Lockout Policy


  • Kerberos Policy


Local Policies

  • Audit Policy


  • User Rights Assignment


  • Security Options
    • Event Log


    • Restricted Groups


    • System Services


    • Registry


    • File System


    • IP Security Policies on Active Directory


    • Public Key Policies




Group Policy is administered through the use of Group Policy Objects, data structures that are attached in a specific hierarchy to selected Active Directory Objects, such as Sites, Domains, or Organizational Units. These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2)Site, (3)Domain, (4)OU, with the later policies being superior to the earlier applied policies.

NOTE: Local Group Policy Objects are not applied by default on computers that are members of a Windows Domain. Also, Windows 2000 permits domain controllers within a single domain to have different "Local" security policies (those categorized under the "security settings" - "Local Policies" node of the group policy object). By default, they are the same, controlled by the "Default Domain Controllers Policy," which is linked to the "Domain Controllers" organizational unit.

Additional query words: 2000

Keywords : kbnetwork kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.