How to apply Domain Level Group Policy
As a system administrator, you may often need to create a Windows domain of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database (called a directory service). Also one or more domain controllers need to be deployed to enable managing the domain. In this post, we will show you how to apply Domain Level Group Policy.
There are lots of posts which have covered how to promote a Windows server to a Domain Controller. After installing a Windows Server, you can promote the server to a Domain Controller by following instructions at How to Promote Windows Server 2008 R2 to a Domain Controller(For Windows Server 2008 R2 and before) and Building Your First Domain Controller on 2012 R2(For Windows Server 2012).
After promoting the servers to the Domain Controller, the next time you login you will be logged in as a domain member. For example, if we have a domain named WINDOMAIN and the user Administrator in this domain, the account id will look like WINDOMAIN\Administrator. If you want to update the domain level group policy, for example Account Policies, you may want to go to Start -> Run -> gpedit.msc, then change the Computer Configuration. But for some reason, you will fail to update them using this approach as the settings are uneditable.
The above setting doesn't work or it's unediable is because you are using a Local Group Policy editor to update the GPO. The difference between Local Group Policy and Domain Level Group Policy can be found here. To be able to update the Domain Level Group Policy, you should go to Start -> Administrator Tools -> Group Policy Management -> <DOMAIN> -> Domains -> Group Policy Objects -> Default Domain Policy, then right click on it and select Edit. You will now be able to change the settings as you want.
To make the update work, you need to restart the server.