Administrators may define a security policy in Active Directory that contains specific security settings for any and all security areas. This is accomplished by defining security settings in a Group Policy object (GPO) that is associated with a domain or an organizational unit (OU). Security settings that are defined for a domain or OU apply to all machines that are contained in that domain or OU.
A security policy may also be established on the local machine. However, local machine policies can only contain security settings for the first two security areas (Account Policies and Local Policies). While all other security areas may be configured on a local machine through the use of various tools, a local security policy may only be established for Account Policies and Local Policies.
When there are conflicts, Security settings that are defined in Active Directory always override any security settings that are defined on the local machine. Security settings for an OU always override security settings defined in any parent OUs or on the domain itself. Thus, when determining the security settings that apply to a specific machine, the order of precedence may be represented as follows, from lowest to highest:
Local security policy
Domain policy
OU policy
...
OU policy (for the OU that the machine is contained in)