Default Domain Policy
The default domain policy includes the following three security polices. You can check these policies under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies.
- Password Policy
- Account Lockout Policy
- Kerberos Policy.
These three policies can only be set at the Domain level. If you configure these settings anywhere else -in Site or OU, they are ignored. However, setting these three policies at the OU level will have the effect if users log on locally to their PCs. Login to the domain you get the domain policy, login locally you get the OU policy.
The default domain policy also includes the following three security options. You can check these settings under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
- Automatically log off users when logon time expires
- Rename Adminsitrator Account – When set at the domain level, it affects the Domain Administrator account only.
- Rename Guest Account – When set at the domain level, it affects the Domain Guest account only.
For the above listed policies, you can use only the Default Domain Policy.
Default Domain Controllers Policy
This policy can be found by right clicking the Domain Controllers OU. This policy affects all Domain Controllers in the domain regardless of where you placed the domain controllers. That means, you can put your domain controllers in any container (OU) in Active Directory (other than Domain Controllers OU), the outside domain controllers also process this policy and get settings from this policy.
Use the Default Domain Controllers Policy to set local policies for your domain controllers, e.g. Audit Policies, Event Log settings.