Solved

Microsoft best practices applied to Windows Default Domain policy or Default Domain Controller Policy?

Posted on 2011-03-25
2
844 Views
Last Modified: 2012-05-11
Hello, I've researched Microsoft best practices about LM and NTLM being weak protocols and should not be allowed to be used and the following group policies-
•      Domain member: Require strong (Windows 2000 or later) session key: Enabled.
•      Domain member: Digitally encrypt or sign secure channel data (always): Enabled.
•      Network Security: LAN Manger authentication level: Send NTLMv2 response only\refuse LM & NTLM.       
•      Network Security: Do not store LAN Manager hash value on next password change: Enabled.

Should I enable these in the Default Domain Policy or Default Domain Controller Policy? Also I assume these apply to Machine Policy? If someone can point me to exactly where these should be enabled, I would appreciate it.
0
Comment
Question by:XAnalyzer
  • 2
2 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 35219264
Best Practices are to avoid modifying the Default Domain Policy and Default Domain Controllers policy, as they contain many settings that are needed for AD to operate correctly. If you want to set the policies you've outlined, create a new GPO and link it at the domain level, then set those settings. If you are blocking inheritence anywhere in your environment, you'll also want to set the GPO as Enforced. Once that's done, the settings will be applied to all systems in the network.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 35219267
Err, sorry. It will be applied to all systems in the domain (gotta be technically correct I suppose)
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ADMT 3.2 LAB Computer Migration not successful 2 48
2003 Server DNS/FS errors 6 50
EXCHANGE, ACTIVE DIRECTORY 1 31
remove computer from using logon script 17 21
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Why pager replacement is still an issue OnPage has what some might call a “hate/hate” relationship with pagers. Not much room for love. As we see it, pagers are an antiquated bit of technology. Pagers are dinosaurs which, like most dinosaurs, sho…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question