EXPERT RESPONSE
The whole idea of having a domain is to have a domain-wide security policy and to therefore have consistency within the domain on certain security issues, such as account policy (which includes password policy) and domain user rights. Then, where allowed and where approved as your organizations policy, security policy for various users and computers within the domain can be specified by creating GPO's on an organizational unit and creating a specific security policy there. I am confused when you say there is not a domain controller policy or domain policy on DC A, but some on B and that this is default. By default there is a GPO defined in both of these places, and by default, the domain controller policy for the domain is the same for all domain controllers in the domain. The domain policy for the domain is the same for all computers in the domain. If you are seeing different policies for each, I'd suspect a replication problem? Or worse?
Debugging security policy issues can be quite involved. When a server is promoted to a DC, if it is the first DC then it obtains its security policies from the template defined for domain controllers, which, of course, is an .inf file, a text file and could have been altered before the dc was promoted. If the DC is not the first DC, then it gets its policy from the existing DC that becomes its replication partner. Of course, as mentioned before, GPOs on OUs can mean different users will be able to do different things. Check the health of your Active Directory, and then determine just what GPO's are affecting the user accounts.
|
