Problem solve Get help with specific problems with your technologies, process and projects.

Need help with domain controller security policies

I've just inherited a new Active Directory domain. Currently, there are two domain controllers called A and B. Domain controller A has no local security policy defined, no domain controller security policy defined and no domain security policy defined (all default). Domain controller B has some items defined in a local security policy, but no domain controller policy or domain security policy defined (all default). I have two questions about this:

1. Some users (non-administrators) exhibit the ability to add workstations to the domain while other users (also non-administrators) are denied that ability. Can I assume that is due to the user being authenticated by domain controllers with differing local security policies as outlined above (DC A does not allow, while DC B does allow)?

2. If the local security policy defined on DC B (specifically the "add workstations to domain" policy set to administrators and authenticated users) existed before the server was promoted to a DC, would that policy be inherited or assumed into the entire AD/Domain policy as a whole? And would this allow all authenticated users to add workstations or possibly creating a situation like in question 1 where it depends on where a users authentication takes place?

The whole idea of having a domain is to have a domain-wide security policy and to therefore have consistency within the domain on certain security issues, such as account policy (which includes password policy) and domain user rights. Then, where allowed and where approved as your organizations policy, security policy for various users and computers within the domain can be specified by creating GPO's on an organizational unit and creating a specific security policy there. I am confused when you say there is not a domain controller policy or domain policy on DC A, but some on B and that this is default. By default there is a GPO defined in both of these places, and by default, the domain controller policy for the domain is the same for all domain controllers in the domain. The domain policy for the domain is the same for all computers in the domain. If you are seeing different policies for each, I'd suspect a replication problem? Or worse?

Debugging security policy issues can be quite involved. When a server is promoted to a DC, if it is the first DC then it obtains its security policies from the template defined for domain controllers, which, of course, is an .inf file, a text file and could have been altered before the dc was promoted. If the DC is not the first DC, then it gets its policy from the existing DC that becomes its replication partner. Of course, as mentioned before, GPOs on OUs can mean different users will be able to do different things. Check the health of your Active Directory, and then determine just what GPO's are affecting the user accounts.

Dig Deeper on Windows 10 security and management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.