Solved

Should our corporate policy be to never edit the default domain policy?

Posted on 2008-10-15
7
457 Views
Last Modified: 2010-04-21
Hi. I am looking for some direction in determining our corporate policy on if we will ever edit the default domain policy in our server 2003 active directory domain.

Right now I have inherited a AD setup in which the former administrator made all of his group policy changes through the default domain policy. Is this recommended? We have had numerous issues where this has negatively effected things. Is it best practice to do ANYTHING in the default policy? I thought of maybe using it to control passwords, but i cannot think of any other legitimate reason to use the default policy.

What do others do with their default domain policy? Should we not use it? I will award points for the most/best information that can be supplied.
thanks!
0
Comment
Question by:merit_lclark
7 Comments
 
LVL 18

Assisted Solution

by:exx1976
exx1976 earned 50 total points
ID: 22723062
I only use default domain policy for things that legitimately need to be applied to ALL machines/users in the domain.  Password policy, WSUS settings, trusted sites for IE (our AV product installs from an HTTPS site on an internal server (Trend)), I think that's about it.  Everything else is GPO that's applied per OU, and even then, those are sliced up further by Security Groups as to who they apply to and who they don't.  Then there Loopback processing enabled for the Citrix servers, the list goes on and on.

Short answer is no, nothing really beyond password policy and maybe event log settings should be changes in the default policy.  The WSUS/IE stuff was just my own laziness..  LOL
0
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22723108
I basically only use it for password policy.  Everything else we apply in other places.
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 300 total points
ID: 22723260
it's always best policy to never edit the Default Domain Policy. http://technet2.microsoft.com/windowsserver/en/library/8fb08f1b-0e08-472d-83db-313e2e56e4001033.mspx?mfr=true

Be careful when you configure the settings in the Default Domain Policy. Every setting you configure in this GPO applies to every user and computer account in the domain unless these settings are overwritten by other domain GPOs having higher precedence or by GPOs linked to OUs. In particular, settings you configure in the Default Domain Policy will apply to your domain controllers unless they are overwritten by settings in the Default Domain Controllers Policy.

 Moral of the story is: go ahead and configure account policies in the Default Domain Policy, but dont configure any other settings in this GPO or in any GPOs linked to the domain.
The policies that pertain to passwords, password complexity, etc... cannot be overridden anywhere else.  The domain policy sets it and an OU cannot change it (nor can anyone else) even though the OU is at the top of the list when applying policies in general.  Policies flow like  Local--->Site---->Domain--->OU

Here is an MS site:  SEE THE HEADING "Setting Password Policies with Group Policy Objects"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
Antoher site:
http://www.unc.edu/itswin/ad-component/ouadmin.htm

0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 50 total points
ID: 22723585
Same things here, only for password policy. The rest I use separate GPO with relative name of the GPO for specific functions.
If all changes in one default policy then it will make all other features meanlingless--Block Inheritance, Restore default, Filtering etc. Afterall, you don't want to put all eggs in 1 basket.....



0
 
LVL 7

Assisted Solution

by:DenisCooper
DenisCooper earned 50 total points
ID: 22724787
best practice:

DO NOT change any default policies unless you really have to. YOu can create new policies to overwrite the majority of his settings you neded to...

basicallty the reason for this is: you may know what changes have been made, but other admins might not be aware - you may leave etc - so this means that the admins know what policies are applied by default, and only need to look at policies you have created.

hope i made sense.
0
 
LVL 3

Assisted Solution

by:Azyre
Azyre earned 50 total points
ID: 22724878
This one's a simple answer, the more documentation you have down the road when you need to make a change in 2-3 years the better.  Plus it makes it easier to remove and re-add just certain aspects of your GPO without having to remember every little change you made as you're making them.  Would you as an Admin rather see this::

Defualt Domain Policy

or this:

Default Domain Policy
Password Policy
Restricted Application Policy
Computer Policy for IT
Computer Policy for Finance
ect.
0
 

Author Closing Comment

by:merit_lclark
ID: 31506378
Thanks!
0

Join & Write a Comment

Suggested Solutions

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Know what services you can and cannot, should and should not combine on your server.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now