Microsoft best practices applied to Windows Default Domain policy or Default Domain Controller Policy?

Hello, I've researched Microsoft best practices about LM and NTLM being weak protocols and should not be allowed to be used and the following group policies-
•      Domain member: Require strong (Windows 2000 or later) session key: Enabled.
•      Domain member: Digitally encrypt or sign secure channel data (always): Enabled.
•      Network Security: LAN Manger authentication level: Send NTLMv2 response only\refuse LM & NTLM.       
•      Network Security: Do not store LAN Manager hash value on next password change: Enabled.

Should I enable these in the Default Domain Policy or Default Domain Controller Policy? Also I assume these apply to Machine Policy? If someone can point me to exactly where these should be enabled, I would appreciate it.
XAnalyzerAsked:
Who is Participating?
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
Best Practices are to avoid modifying the Default Domain Policy and Default Domain Controllers policy, as they contain many settings that are needed for AD to operate correctly. If you want to set the policies you've outlined, create a new GPO and link it at the domain level, then set those settings. If you are blocking inheritence anywhere in your environment, you'll also want to set the GPO as Enforced. Once that's done, the settings will be applied to all systems in the network.
0
 
Adam BrownSr Solutions ArchitectCommented:
Err, sorry. It will be applied to all systems in the domain (gotta be technically correct I suppose)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.