Solved

Should our corporate policy be to never edit the default domain policy?

Posted on 2008-10-15
7
480 Views
Last Modified: 2010-04-21
Hi. I am looking for some direction in determining our corporate policy on if we will ever edit the default domain policy in our server 2003 active directory domain.

Right now I have inherited a AD setup in which the former administrator made all of his group policy changes through the default domain policy. Is this recommended? We have had numerous issues where this has negatively effected things. Is it best practice to do ANYTHING in the default policy? I thought of maybe using it to control passwords, but i cannot think of any other legitimate reason to use the default policy.

What do others do with their default domain policy? Should we not use it? I will award points for the most/best information that can be supplied.
thanks!
0
Comment
Question by:merit_lclark
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 18

Assisted Solution

by:exx1976
exx1976 earned 50 total points
ID: 22723062
I only use default domain policy for things that legitimately need to be applied to ALL machines/users in the domain.  Password policy, WSUS settings, trusted sites for IE (our AV product installs from an HTTPS site on an internal server (Trend)), I think that's about it.  Everything else is GPO that's applied per OU, and even then, those are sliced up further by Security Groups as to who they apply to and who they don't.  Then there Loopback processing enabled for the Citrix servers, the list goes on and on.

Short answer is no, nothing really beyond password policy and maybe event log settings should be changes in the default policy.  The WSUS/IE stuff was just my own laziness..  LOL
0
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22723108
I basically only use it for password policy.  Everything else we apply in other places.
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 300 total points
ID: 22723260
it's always best policy to never edit the Default Domain Policy. http://technet2.microsoft.com/windowsserver/en/library/8fb08f1b-0e08-472d-83db-313e2e56e4001033.mspx?mfr=true

Be careful when you configure the settings in the Default Domain Policy. Every setting you configure in this GPO applies to every user and computer account in the domain unless these settings are overwritten by other domain GPOs having higher precedence or by GPOs linked to OUs. In particular, settings you configure in the Default Domain Policy will apply to your domain controllers unless they are overwritten by settings in the Default Domain Controllers Policy.

 Moral of the story is: go ahead and configure account policies in the Default Domain Policy, but dont configure any other settings in this GPO or in any GPOs linked to the domain.
The policies that pertain to passwords, password complexity, etc... cannot be overridden anywhere else.  The domain policy sets it and an OU cannot change it (nor can anyone else) even though the OU is at the top of the list when applying policies in general.  Policies flow like  Local--->Site---->Domain--->OU

Here is an MS site:  SEE THE HEADING "Setting Password Policies with Group Policy Objects"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
Antoher site:
http://www.unc.edu/itswin/ad-component/ouadmin.htm

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Assisted Solution

by:Americom
Americom earned 50 total points
ID: 22723585
Same things here, only for password policy. The rest I use separate GPO with relative name of the GPO for specific functions.
If all changes in one default policy then it will make all other features meanlingless--Block Inheritance, Restore default, Filtering etc. Afterall, you don't want to put all eggs in 1 basket.....



0
 
LVL 7

Assisted Solution

by:DenisCooper
DenisCooper earned 50 total points
ID: 22724787
best practice:

DO NOT change any default policies unless you really have to. YOu can create new policies to overwrite the majority of his settings you neded to...

basicallty the reason for this is: you may know what changes have been made, but other admins might not be aware - you may leave etc - so this means that the admins know what policies are applied by default, and only need to look at policies you have created.

hope i made sense.
0
 
LVL 3

Assisted Solution

by:Azyre
Azyre earned 50 total points
ID: 22724878
This one's a simple answer, the more documentation you have down the road when you need to make a change in 2-3 years the better.  Plus it makes it easier to remove and re-add just certain aspects of your GPO without having to remember every little change you made as you're making them.  Would you as an Admin rather see this::

Defualt Domain Policy

or this:

Default Domain Policy
Password Policy
Restricted Application Policy
Computer Policy for IT
Computer Policy for Finance
ect.
0
 

Author Closing Comment

by:merit_lclark
ID: 31506378
Thanks!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question