Account and local policies
All security policies are computer-based policies. Account policies are defined on computers, yet they affect how user accounts can interact with the computer or domain. Account policies contain three subsets:
For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain policy and is enforced by the domain controllers that make up the domain. A domain controller always obtains the account policy from the Default Domain Policy Group Policy object, even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers joined to a domain (such as member computers) will also receive the same account policy for their local accounts. However, local account policies can be different from the domain account policy, such as when you define an account policy specifically for the local accounts.
There are two policies in Security Options that also behave like account policies. These are:
These policies apply to a computer and contain these subsets:
Because a computer can have more than one policy applied to it, there can be conflicts in security policy settings. The order of precedence from highest precedence to lowest precedence is organizational unit, domain, and local computer. For more information, see Applying security policy