Best practices

Always test a newly-created policy on a test computer before applying it to your network.

The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.

Be aware that more than one policy can be applied to a computer.

Because of this, there can be conflicts in security policy settings. The order of precedence from highest precedence to lowest precedence is Organizational Unit, Domain, and Local Computer. For more information, see Applying security policy

You can use Resultant Set of Policies to find out what policies apply to a certain computer. For more information , see Resultant set of policy

Keep in mind that there can only be one account policy in a domain: the Default Domain Policy. For more information, see Account and local policies 

When importing templates through Group Policy:

Do not apply the Compatible template to Domain Controller machines. For example, do not import the Compatible template to Default Domain Policy or Default Domain Controller Policy.

Do not apply the Setup security template through Group Policy.

For local security policy, use the Local Security Policy shortcut for editing and finetuning security policy. Use Security Templates to create a local policy and then use Security Configuration and Analysis to apply the policy.



© 2016 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies