To modify policies in Domain, we use Group Policy Management  :
 (Note that we are on Domain Controller )
Start> Administrative Tools  >Group Policy Management

From the left panel, click to a "+" sign : Forest :Long.local >  Domain > Group Policy Objects
  • Default Domain Policy : Affect to all Domain (Domain Controller and Domain member/member server)
  • Default Domain Controller Policy : Only afftect to Domain Controller\
For example :

1/ Password Policy : 
We use Default Domain Policy > Right Click and choose Edit  : a new dialog appear

Computer configuration> Policies> Security Settings> Account Policies> Password Policies

affect all Domain .

2/ As you might know that user (not Domain Administrators) cannot log in locally on Domain Controller.
But there is a policy that you can do it , because you want this policy affect only to DC, so :

Right click : Default Domain Controller Policy > User Right Assignment> Allow logon locally .


The point is, when Administrator is on a member computer,  how can he manage a Domain ?

On :
Windows XP, 2K3, Vista : we use a software call Adminpak.msi
Windows 7 : Download and Install remote administration tool
Windows server 2008 : Server Manager> Right Click Features > Add Features > Check to :

  • Group Policies Management
  • Expand Remote Server Administration Tools > Role Administration Tools > AD DS & AD LDS Tools >  AD DS Tools> Check to Active Directory Administrative Center .
  • Add requirement features. Next .

=> Install .

* Admin can manage time and computer for user logon (when ? - which computers ?) by accessing Active Directory User and Computer> Double Click to User > Account : Modify Logon Hour and Log on to .
I) Introduction to Domain :

- In workgroup : Data and Policy stay on computers, if you want to make a change - you must change each of them . Imagine that you company has a hunred computer, you want to add a user and this user can log on every computer => You must do a job create a same new user 100 times ! to 100 computers . Absolutely it's not time-efficient, and very boring job .

- So Domain saved the world - It is a model which data is stored in 1 computer. Now you just create a new user on a Domain - so he can log on every computers on that Domain.

Domain Controller (DC) : a computer has been installed Active Directory Domain Service and has a responsibily to manage Domain system .
A computer can be a DC if it meets these requirements :
- Using Windows Server (2000, 2003, 2008)
- DNS Server .

Domain Member (Windows workstation - Windows XP, Windows 7 ...) & Member Server (Windows Server : 2003, 2008 ...)
- A computer joins to Domain system will be managed by DC
- This computer must have Windows operating system newer than Windows 95 .

II) Upgrade windows server to Domain Controller :
 2 steps :

- Configure IP and DNS (as usual, we configure DNS the same with IP address of this computer - It's also a DNS Server) 
- Start> Run> DCPROMO - hit Enter. 

Please wach my video ^^

III) Join a computer to Domain :

IV/ Domain Environment :

To manage user/group and other object in Domain, we use tool called : Active Directory Domain User and Computer in Start> Administrative Tools or Start > Run> type : DSA.msc .

Creating a new user, you need to provide a password meet complexity with 7 characters, capital, number ... 

As a member user of a Domain, user can log on any computer in domain except Domain Controller (Only Admin can do that).

(But you can change a Policy in User Right Assignment to Allow logon locally)