Solved

Should our corporate policy be to never edit the default domain policy?

Posted on 2008-10-15
7
483 Views
Last Modified: 2010-04-21
Hi. I am looking for some direction in determining our corporate policy on if we will ever edit the default domain policy in our server 2003 active directory domain.

Right now I have inherited a AD setup in which the former administrator made all of his group policy changes through the default domain policy. Is this recommended? We have had numerous issues where this has negatively effected things. Is it best practice to do ANYTHING in the default policy? I thought of maybe using it to control passwords, but i cannot think of any other legitimate reason to use the default policy.

What do others do with their default domain policy? Should we not use it? I will award points for the most/best information that can be supplied.
thanks!
0
Comment
Question by:merit_lclark
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 18

Assisted Solution

by:exx1976
exx1976 earned 50 total points
ID: 22723062
I only use default domain policy for things that legitimately need to be applied to ALL machines/users in the domain.  Password policy, WSUS settings, trusted sites for IE (our AV product installs from an HTTPS site on an internal server (Trend)), I think that's about it.  Everything else is GPO that's applied per OU, and even then, those are sliced up further by Security Groups as to who they apply to and who they don't.  Then there Loopback processing enabled for the Citrix servers, the list goes on and on.

Short answer is no, nothing really beyond password policy and maybe event log settings should be changes in the default policy.  The WSUS/IE stuff was just my own laziness..  LOL
0
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22723108
I basically only use it for password policy.  Everything else we apply in other places.
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 300 total points
ID: 22723260
it's always best policy to never edit the Default Domain Policy. http://technet2.microsoft.com/windowsserver/en/library/8fb08f1b-0e08-472d-83db-313e2e56e4001033.mspx?mfr=true

Be careful when you configure the settings in the Default Domain Policy. Every setting you configure in this GPO applies to every user and computer account in the domain unless these settings are overwritten by other domain GPOs having higher precedence or by GPOs linked to OUs. In particular, settings you configure in the Default Domain Policy will apply to your domain controllers unless they are overwritten by settings in the Default Domain Controllers Policy.

 Moral of the story is: go ahead and configure account policies in the Default Domain Policy, but dont configure any other settings in this GPO or in any GPOs linked to the domain.
The policies that pertain to passwords, password complexity, etc... cannot be overridden anywhere else.  The domain policy sets it and an OU cannot change it (nor can anyone else) even though the OU is at the top of the list when applying policies in general.  Policies flow like  Local--->Site---->Domain--->OU

Here is an MS site:  SEE THE HEADING "Setting Password Policies with Group Policy Objects"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
Antoher site:
http://www.unc.edu/itswin/ad-component/ouadmin.htm

0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 18

Assisted Solution

by:Americom
Americom earned 50 total points
ID: 22723585
Same things here, only for password policy. The rest I use separate GPO with relative name of the GPO for specific functions.
If all changes in one default policy then it will make all other features meanlingless--Block Inheritance, Restore default, Filtering etc. Afterall, you don't want to put all eggs in 1 basket.....



0
 
LVL 7

Assisted Solution

by:DenisCooper
DenisCooper earned 50 total points
ID: 22724787
best practice:

DO NOT change any default policies unless you really have to. YOu can create new policies to overwrite the majority of his settings you neded to...

basicallty the reason for this is: you may know what changes have been made, but other admins might not be aware - you may leave etc - so this means that the admins know what policies are applied by default, and only need to look at policies you have created.

hope i made sense.
0
 
LVL 3

Assisted Solution

by:Azyre
Azyre earned 50 total points
ID: 22724878
This one's a simple answer, the more documentation you have down the road when you need to make a change in 2-3 years the better.  Plus it makes it easier to remove and re-add just certain aspects of your GPO without having to remember every little change you made as you're making them.  Would you as an Admin rather see this::

Defualt Domain Policy

or this:

Default Domain Policy
Password Policy
Restricted Application Policy
Computer Policy for IT
Computer Policy for Finance
ect.
0
 

Author Closing Comment

by:merit_lclark
ID: 31506378
Thanks!
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question