We want to enable the Default Domain Policy Group Policy Object (GPO) so that we can customize and lock down our Windows XP and Windows 2000 workstations. Can we enable the Default Domain Policy but disable the Default Domain Controllers Policy so that our domain controllers (DCs) don't pick up the policies? Can you suggest other Group Policy configurations that will give us the same results?
First of all, don't disable the Default Domain Policy (which is linked to the root of the domain); I've observed strange behavior when that GPO is deleted or disabled. One solution is to enable Block Policy inheritance on the Domain Controllers organizational unit (OU). This setting blocks all policies defined in the Default Domain Policy, except for Password, Lockout, and Forcibly disconnect users when logon hours expire policies, from applying to your DCs. Because Active Directory (AD) enforces only one Password, Lockout, and Forcibly disconnect users when logon hours expire policy for all domain users, AD reads only GPOs linked to the root of the domain. Blocking these policies at the Domain Controllers OU level has no effect.
A cleaner, better solution is to create an OU called Workstations, move all your XP workstations to that OU, and create a GPO linked to the OU. Define your workstation policies in that OU. Using OUs to define policies is typically a less confusing solution than using No Override or Block Policy inheritance policies or disabling GPOs.
—Randy Franklin Smith