One or more group policies (GPOs) can be defined for each domain, site, and organizational unit (OUs) in a forest (that is, an entire Active Directory domain network). All of the GPOs can be managed from a Windows 2000 or Server 2003 domain controller system through the Active Directory Users and Computers utility as well as several others.
There is one local security policy for every local system that is running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional or Windows Server 2003. The local security policy can be managed directly only on the local system through the Administrative Tools link or via the MMC. When a Windows XP Professional system is a domain client, multiple GPOs may be applied to it in addition to its own local security policy.
Group policies are applied in the following order:
- Any existing legacy Windows NT 4.0 ntconfig.pol files are applied.
- Any unique local security policy is applied
- Any site group policies are applied.
- Any domain group policies are applied.
- Any organizational units (OU) group policies are applied.
One simple way to remember this order is LSDOU (local, site, domain, organizational unit). As long as you can remember that any legacy Windows NT 4.0 ntconfig.pol files are applied first, then LSDOU can help you keep track of the order of the remainder.
Do keep in mind that multiple GPOs can be applied at each Active Directory domain container level (site,
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in September 2004