Solved

Should our corporate policy be to never edit the default domain policy?

Posted on 2008-10-15
7
471 Views
Last Modified: 2010-04-21
Hi. I am looking for some direction in determining our corporate policy on if we will ever edit the default domain policy in our server 2003 active directory domain.

Right now I have inherited a AD setup in which the former administrator made all of his group policy changes through the default domain policy. Is this recommended? We have had numerous issues where this has negatively effected things. Is it best practice to do ANYTHING in the default policy? I thought of maybe using it to control passwords, but i cannot think of any other legitimate reason to use the default policy.

What do others do with their default domain policy? Should we not use it? I will award points for the most/best information that can be supplied.
thanks!
0
Comment
Question by:merit_lclark
7 Comments
 
LVL 18

Assisted Solution

by:exx1976
exx1976 earned 50 total points
ID: 22723062
I only use default domain policy for things that legitimately need to be applied to ALL machines/users in the domain.  Password policy, WSUS settings, trusted sites for IE (our AV product installs from an HTTPS site on an internal server (Trend)), I think that's about it.  Everything else is GPO that's applied per OU, and even then, those are sliced up further by Security Groups as to who they apply to and who they don't.  Then there Loopback processing enabled for the Citrix servers, the list goes on and on.

Short answer is no, nothing really beyond password policy and maybe event log settings should be changes in the default policy.  The WSUS/IE stuff was just my own laziness..  LOL
0
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22723108
I basically only use it for password policy.  Everything else we apply in other places.
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 300 total points
ID: 22723260
it's always best policy to never edit the Default Domain Policy. http://technet2.microsoft.com/windowsserver/en/library/8fb08f1b-0e08-472d-83db-313e2e56e4001033.mspx?mfr=true

Be careful when you configure the settings in the Default Domain Policy. Every setting you configure in this GPO applies to every user and computer account in the domain unless these settings are overwritten by other domain GPOs having higher precedence or by GPOs linked to OUs. In particular, settings you configure in the Default Domain Policy will apply to your domain controllers unless they are overwritten by settings in the Default Domain Controllers Policy.

 Moral of the story is: go ahead and configure account policies in the Default Domain Policy, but dont configure any other settings in this GPO or in any GPOs linked to the domain.
The policies that pertain to passwords, password complexity, etc... cannot be overridden anywhere else.  The domain policy sets it and an OU cannot change it (nor can anyone else) even though the OU is at the top of the list when applying policies in general.  Policies flow like  Local--->Site---->Domain--->OU

Here is an MS site:  SEE THE HEADING "Setting Password Policies with Group Policy Objects"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
Antoher site:
http://www.unc.edu/itswin/ad-component/ouadmin.htm

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 18

Assisted Solution

by:Americom
Americom earned 50 total points
ID: 22723585
Same things here, only for password policy. The rest I use separate GPO with relative name of the GPO for specific functions.
If all changes in one default policy then it will make all other features meanlingless--Block Inheritance, Restore default, Filtering etc. Afterall, you don't want to put all eggs in 1 basket.....



0
 
LVL 7

Assisted Solution

by:DenisCooper
DenisCooper earned 50 total points
ID: 22724787
best practice:

DO NOT change any default policies unless you really have to. YOu can create new policies to overwrite the majority of his settings you neded to...

basicallty the reason for this is: you may know what changes have been made, but other admins might not be aware - you may leave etc - so this means that the admins know what policies are applied by default, and only need to look at policies you have created.

hope i made sense.
0
 
LVL 3

Assisted Solution

by:Azyre
Azyre earned 50 total points
ID: 22724878
This one's a simple answer, the more documentation you have down the road when you need to make a change in 2-3 years the better.  Plus it makes it easier to remove and re-add just certain aspects of your GPO without having to remember every little change you made as you're making them.  Would you as an Admin rather see this::

Defualt Domain Policy

or this:

Default Domain Policy
Password Policy
Restricted Application Policy
Computer Policy for IT
Computer Policy for Finance
ect.
0
 

Author Closing Comment

by:merit_lclark
ID: 31506378
Thanks!
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question