Best practices for Security Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Be cautious when creating new policies

  • Always test a newly-created policy on a test computer before applying it to your network.

Be aware that more than one policy can be applied to a computer

  • Because of this, there can be conflicts in security policy settings. The order of precedence from highest precedence to lowest precedence is:

    1. Organizational unit

    2. Domain

    3. Local computer

    For more information, see Applying security settings.

  • You can use Resultant Set of Policy to find out what policies apply to a certain computer. For more information , see Resultant Set of Policy.

Keep in mind that there can only be one account policy in a domain: the Default Domain Policy

For more information, see Account and local policies.

Apply templates appropriately

  • Do not apply the Compatible template to Domain Controller computers. For example, do not import the Compatible template to Default Domain Policy or Default Domain Controller Policy.

  • Do not apply the Setup security template through Group Policy.

Use the correct tools for configuring local policy

  • For local security policy, use the Local Security Policy shortcut for editing and fine-tuning security policy. Use Security Templates to create a local policy and then use Security Configuration and Analysis to apply the policy.