Windows 2000 Security Configuration Tool

Windows 2000 Security Policy

This section describes the various security policy tools and their prioritization of security policy applications. By default, Group Policy is inherited and cumulative, and affects all computers in the Microsoft Active Directory® container. Group policies can be managed by using Group Policy Objects (GPOs), which are data structures that are attached in a specific hierarchy of selected Active Directory objects such as sites, domains, or organizational units (OUs). After creating these

the GPO, it may be applied in a standard order: LSDOU, indicating (1) locally, (2) site, (3) field, (4) OU. The applied policy priority is higher than the first applied policy priority. A domain policy is valid if a computer belongs to a domain and there is a conflict between the domain and the local computer policy. However, if a computer no longer belongs to a domain, the local group policy is applied.

When a computer joins a domain that implements Active Directory and Group Policy, it processes local GPOs. Note that the local GPO policy is processed even when the Block Policy Inheritance option is specified.

Account policies (passwords, account lockouts, and Kerberos policies) for the entire domain can be defined in the default domain GPO local policies (audit policies, user rights assignments, and security options) because they are defined in the default domain controller GPO The domain control controller (DC). For DCs, the settings defined in the default DC GPO take precedence over the settings defined in the default domain GPO. This way, if you configure user privileges in the default domain GPO (for example, "Add workstations in the domain"), there is no impact on the DCs in this domain.

There is an option to allow group policies to be enforced in a specific GPO, which prevents GPOs in lower-level Active Directory containers from replacing this policy. For example, if a specific GPO is defined at the domain level and an enforcement GPO is specified, the policies contained in the GPO will be applied to all OUs in this domain; that is, lower-level containers (OUs) cannot override this domain group Strategy.

Note: The Account Policy Security Zone receives the special handling that it takes effect on this domain computer. All DCs in this domain receive account policies from GPOs configured on the domain node, regardless of the location of the DC's computer objects. This ensures that a consistent account policy is enforced for all domain accounts. All non-DC computers in the domain can get the policies for local accounts on these computers according to the normal GPO hierarchy. By default, member workstations and servers enforce the policy settings configured in their local account domain GPOs, but they will take effect if there are other GPOs with a lower range that override the default settings.

Local Security Policy

Use local security policies to set security requirements on your local computer. It is primarily used for individual computers or for applying specific security settings to domain members. Local security policy settings have the lowest priority in an Active Directory managed network.

• Open Local Security Policy

1. Log in to the computer with administrator privileges.

2. On Windows 2000 Professional computers, the Administrative Tools are not displayed as options in the Start menu by default. To view the Administrative Tools menu options in Windows 2000 Professional, click Start, point to Settings, and then click Taskbar and Start Menu. In the Taskbar and Start Menu Properties window, click the Advanced tab. Select Show Administrative Tools in the Start Menu Settings dialog. Click the "OK" button to complete the setup.

3. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy. This will allow you to "local security settings" console.

Figure 1: Local Security Settings Domain Security Policy