What is the difference between Local Security Policy, Domain Security Policy, and Domain Controller Security Policy? Does the Domain Controller Security Policy follow the user to whatever pc he logs in at? If so, what happens to the Local Security Policy?

Pete, this is a bit complex to explain here but here are the basics. The local security policy is the policy that is applied to the local machine. It is also the first policy applied. The domain policy is the policy applied at the domain level and will be applied to any w2k/xp machine logging into the domain. It will overwrite any setting applied by the local security policy. If you look in the interface for Local Security Policy you'll see the settings for Local Settings and Effective Settings. Well, the Effective Settings are the settings that exist after the domain policy is implemented. If the local policy makes a setting and the domain policy does not have that setting configured, then the local policy setting will remain. The Domain Controller Security Policy affects only Domain Controller or whatever machines are in the Domain Controller OU, which is usually just DCs. It will not affect computers not in that OU. Your question - "Does the Domain Controller Security Policy follow the user to whatever pc he logs in at?" Not really. It affects the DCs. So for example if you set the policy to allow users to 'Log in Locally' in the Domain Controller Policy, then they will be able to log in locally to all DCs. Policies can be applied at the Local pc level, Site Level, Domain level, and OU level, in that order. Hope that helps.

Now it's starting to make sense...Domain Controller Policy only affects DC's and would be very beneficial in networks with multiple DC's. Just to make things crystal clear: Why would one want to change their 'Local Security Policy' on a DC. Is it when you log on locally to the server, but select SERVER01 (this computer) instead of XYZ_DOMAIN on the drop down menu underneath the password field?

Well sort of, but you can not log on locally to a DC. In other words, the option to select the server in the drop down list is not available on a DC. Again, the local policy settings are not affected if a domain or other policy does not change them. Lets say you have a policy in the local policy to remove the RUN command from the start menu. The local policy would remove it. The domain policy would then be implemented. If the domain policy is not configured to change that setting, then the local policy would still apply. So the RUN command would be remove. If however, the domain policy was set to put the RUN command back, then the end result would be that the RUN command would still be in place. It would be removed by the local policy and then replaced by the domain policy. That is the 'local settings' and 'Effective Settings' I mentioned earlier. Any policy only affects what is below it. So if you set a policy at the Site level, it affects everthing in that site. At the domain level it affects everything in that domain. A policy at the OU level, such as the Domain Controllers OU, will affect whatever is in that OU - which by default is only DCs. There are options for Blocking and Overriding policies too but if you want to get into that then you may want to buy a book - Like mine by Coriolis called Windows 2000 Security Design. :) Hope this helps.

Fantastic! Thanks for clearing that up for me Glen! My confusion lay within the DC, and why it would also have a Local Security Policy. It is only effective when the Domain Controller Security Policy has "not defined" policies. On the same note, a regular workstation's Local Security Policy is only effective when the Domain Security Policy has "not defined" policies, or the workstation is not connected to the network.