mikey250
asked on
cannot logon because logon method is not allowed win 7
hi I am currently running a win 2003 local domain via an isa 2006 firewall & xp clients successfully. - need some advice on specific couple issue below.
important: I never ever normally re-order to precedence list ie 1, 2, 3 etc - so maybe this is why I have always had issues, messing around troubleshooting and not knowing what I did, thinking the: gpupdate or gpupdate /force or gpupdate /sync - resolves all - but now I think I realise no!!!
I am planning on upgrading to win 2008, but I wish to resolve some of my own learning curve night mare issues due to lack of understanding and sometimes trial and error troubleshooting as below describes. - I have read things but not quite understanding as practical tests are not following expected procedure unless I have things back to front.
note: I never configure the 'default domain policy' & leave as default settings - instead I do the below:
note: when I logged onto each domain member server, they did not receive 'proxy' details and no internet access - so I 'created & linked the default dc policy' as per screenshot & set precedence for: default dc policy
- after carrying out the above step, all domain member servers received the 'proxy' details and internet access successful
I have also joined a win 7 laptop to the domain with a roaming profile and 'folder redirection' is successful as per eventviewer.
issues I have below:
1. when I try and access the internet it does not receive the 'proxy internet' settings via 'internet options.
2. when I run the internet explorer diagnostics - it states that dns is not detected/not responding, even though my master dc/ad/dns/dhcp/gpo server does not show any errors in the eventviewer & the dhcp has allocated a dynamic address as expected. I have also cross-checked ip address on win 7 laptop and it matches the dhcp address allocated.
random changes below:
the only thing I have done is add the 'default dc policy' directly above the 'default domain policy' - as per screenshot.
I have been playing around with the gpo order of preference via the following:
- linked group policy objects
- group policy inheritance
as they are numbered 1, 2, 3 etc im not really understanding what this does, although I assume precedence order 1 will take priority or if added to the bottom ie 3, 2, 1 then precedence 1 still takes priority instead of 3.
note: the issue I have now is when I logon via my win 7 laptop it now states:
"you cannot logon because the logon method you are using is not allowed on this computer"
normally when I create gpos, I leave the 'computer config & user config' in the same gpo - but was advised to separate so I did for example as per screenshot attached.
fileserver
- fileserver - gpo
- fileuser - gpo - only domain admin logs on
question 1. can anyone advise on if changing the precedence order decides if the servers or pcs receive their specific configured gpo or not ?
question 2. all my machines are ok, except for my win 7 laptop so please help ?
default-dc-gpo.docx
win7gpo.docx
important: I never ever normally re-order to precedence list ie 1, 2, 3 etc - so maybe this is why I have always had issues, messing around troubleshooting and not knowing what I did, thinking the: gpupdate or gpupdate /force or gpupdate /sync - resolves all - but now I think I realise no!!!
I am planning on upgrading to win 2008, but I wish to resolve some of my own learning curve night mare issues due to lack of understanding and sometimes trial and error troubleshooting as below describes. - I have read things but not quite understanding as practical tests are not following expected procedure unless I have things back to front.
note: I never configure the 'default domain policy' & leave as default settings - instead I do the below:
note: when I logged onto each domain member server, they did not receive 'proxy' details and no internet access - so I 'created & linked the default dc policy' as per screenshot & set precedence for: default dc policy
- after carrying out the above step, all domain member servers received the 'proxy' details and internet access successful
I have also joined a win 7 laptop to the domain with a roaming profile and 'folder redirection' is successful as per eventviewer.
issues I have below:
1. when I try and access the internet it does not receive the 'proxy internet' settings via 'internet options.
2. when I run the internet explorer diagnostics - it states that dns is not detected/not responding, even though my master dc/ad/dns/dhcp/gpo server does not show any errors in the eventviewer & the dhcp has allocated a dynamic address as expected. I have also cross-checked ip address on win 7 laptop and it matches the dhcp address allocated.
random changes below:
the only thing I have done is add the 'default dc policy' directly above the 'default domain policy' - as per screenshot.
I have been playing around with the gpo order of preference via the following:
- linked group policy objects
- group policy inheritance
as they are numbered 1, 2, 3 etc im not really understanding what this does, although I assume precedence order 1 will take priority or if added to the bottom ie 3, 2, 1 then precedence 1 still takes priority instead of 3.
note: the issue I have now is when I logon via my win 7 laptop it now states:
"you cannot logon because the logon method you are using is not allowed on this computer"
normally when I create gpos, I leave the 'computer config & user config' in the same gpo - but was advised to separate so I did for example as per screenshot attached.
fileserver
- fileserver - gpo
- fileuser - gpo - only domain admin logs on
question 1. can anyone advise on if changing the precedence order decides if the servers or pcs receive their specific configured gpo or not ?
question 2. all my machines are ok, except for my win 7 laptop so please help ?
default-dc-gpo.docx
win7gpo.docx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi mahesh,
just to clarify below comments:
"note that default domain controller policy is domain controller specific policy and should not \ never applied to domain level.
applying domain controller polices at domain level will simply creating malfunction and unnecessary results."
- normally i do not edit the built-in gpo for 'default domain policy'. - i do know if i configure proxy ((here)) i know it sets proxy on all domain members servers & client machine....but eventually i only do as test to confirm internet access and wish to add & remove internet access specific to host xp or win 7 separate gpo - that is where i get confused.
- normally i edit the 'default domain controller policy' and configure specifically as per screenshotsonly the below & also the same on all multiple ou's for fileprintserver, wsus1, isa2006 domain member servers (as a basic):
settings there - do you mean i should never configure anything in the 'default domain controller policy' and should configure gpo for the single domain in the 'default domain policy' ?
just to clarify below comments:
"note that default domain controller policy is domain controller specific policy and should not \ never applied to domain level.
applying domain controller polices at domain level will simply creating malfunction and unnecessary results."
- normally i do not edit the built-in gpo for 'default domain policy'. - i do know if i configure proxy ((here)) i know it sets proxy on all domain members servers & client machine....but eventually i only do as test to confirm internet access and wish to add & remove internet access specific to host xp or win 7 separate gpo - that is where i get confused.
- normally i edit the 'default domain controller policy' and configure specifically as per screenshotsonly the below & also the same on all multiple ou's for fileprintserver, wsus1, isa2006 domain member servers (as a basic):
settings there - do you mean i should never configure anything in the 'default domain controller policy' and should configure gpo for the single domain in the 'default domain policy' ?
ASKER
step 1
- 1st of all remove \ unlink default domain controller policy linked to domain.
- then run gpupdate /force /sync on domain controller followed by reboot.
task complete below:
itsolutions.local
default domain controller policy - deleted
default domain policy - left by default
logged each domain member server on & restarted each machine - done
step 2
will open:
itsolutions.local
default domain policy - will add user config: proxy details - & confirm all servers have internet access.
question 1. applying domain controller polices at domain level will simply creating malfunction and unnecessary results." - why malfunction surely thats how i configure a single domain controller if i wish rather than have wide spread gpo configurations via 'default domain policy ?
- 1st of all remove \ unlink default domain controller policy linked to domain.
- then run gpupdate /force /sync on domain controller followed by reboot.
task complete below:
itsolutions.local
default domain controller policy - deleted
default domain policy - left by default
logged each domain member server on & restarted each machine - done
step 2
will open:
itsolutions.local
default domain policy - will add user config: proxy details - & confirm all servers have internet access.
question 1. applying domain controller polices at domain level will simply creating malfunction and unnecessary results." - why malfunction surely thats how i configure a single domain controller if i wish rather than have wide spread gpo configurations via 'default domain policy ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi,
when you say 'domain level' i continue to think, do you mean:
- default domain policy
or
- default domain controller policy
domain controller policies are actually security policies and they are designed for domain controllers only.
- yes i know but as i only have (1 domain controller) i only configure for 'windows updates & slow network 0 (meaning fast) plugged into local cisco2950 switch.
i have now removed 'internet/proxy settings' from the following meaning there are no internet/proxy settings configured via any gpo at all.
note: only my isa 2006 firewall policy is configured for internet access but surely if proxy removed from all gpos's so there are (none) then surely internet access should fail...?
master dc
- default domain policy - proxy settings removed
- gpo xp - proxy settings removed
ran: gpupdate /force
restarted master dc
logged back on
xp desktop:
logged on as normal domain user & not run: gpupdate /force
restarted
logged back on
proxy details visually still there & i can still access the internet - why ?
when you say 'domain level' i continue to think, do you mean:
- default domain policy
or
- default domain controller policy
domain controller policies are actually security policies and they are designed for domain controllers only.
- yes i know but as i only have (1 domain controller) i only configure for 'windows updates & slow network 0 (meaning fast) plugged into local cisco2950 switch.
i have now removed 'internet/proxy settings' from the following meaning there are no internet/proxy settings configured via any gpo at all.
note: only my isa 2006 firewall policy is configured for internet access but surely if proxy removed from all gpos's so there are (none) then surely internet access should fail...?
master dc
- default domain policy - proxy settings removed
- gpo xp - proxy settings removed
ran: gpupdate /force
restarted master dc
logged back on
xp desktop:
logged on as normal domain user & not run: gpupdate /force
restarted
logged back on
proxy details visually still there & i can still access the internet - why ?
ASKER
i have rebooted multiple times all machines & run: gpupdate & gpupdate /force /sync.
as i have removed all traces of internet/proxy access on all servers & machines, i can still logon to my xp desktop and still browse the internet.
- i can however manually remove the internet/proxy settings that are left and then no internet access, but that does not make sense as i assumed after removing gpo internet proxy settings would auto remove from each server & xp but it does not...!
the only thing i can think of is that my isa2006 firewall is configured still for internet access but i assumed the control was through the gpo
i have now set the following to enforced:
- isa 2006 firewall
- xp
this still does not make a difference.
i am completely confused now.
as i have removed all traces of internet/proxy access on all servers & machines, i can still logon to my xp desktop and still browse the internet.
- i can however manually remove the internet/proxy settings that are left and then no internet access, but that does not make sense as i assumed after removing gpo internet proxy settings would auto remove from each server & xp but it does not...!
the only thing i can think of is that my isa2006 firewall is configured still for internet access but i assumed the control was through the gpo
i have now set the following to enforced:
- isa 2006 firewall
- xp
this still does not make a difference.
i am completely confused now.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
morning, yes i removed it below as per yesturday comments shown below:
- 1st of all remove \ unlink default domain controller policy linked to domain.
- then run gpupdate /force /sync on domain controller followed by reboot.
task complete below:
itsolutions.local
default domain controller policy - deleted
default domain policy - left by default
--------------------------
"please note that once proxy settings applied to machines it will not removed automatically even if you removed policy" - ok but why ?
"in order to remove proxy settings, just go to default domain policy and configure empty policy there." - yes done yesturday by resetting browser back to default ie none
"now when next time user logs on they will get empty proxy settings and they cannot access internet."
Is that what you want ?
- yes the internet proxy details have now been remove. i did not realise i had to configure it as 'blank' in order for it to be removed.
- 1st of all remove \ unlink default domain controller policy linked to domain.
- then run gpupdate /force /sync on domain controller followed by reboot.
task complete below:
itsolutions.local
default domain controller policy - deleted
default domain policy - left by default
--------------------------
"please note that once proxy settings applied to machines it will not removed automatically even if you removed policy" - ok but why ?
"in order to remove proxy settings, just go to default domain policy and configure empty policy there." - yes done yesturday by resetting browser back to default ie none
"now when next time user logs on they will get empty proxy settings and they cannot access internet."
Is that what you want ?
- yes the internet proxy details have now been remove. i did not realise i had to configure it as 'blank' in order for it to be removed.
ASKER
hi mahesh, now that the internet/proxy details have been removed. i would like to move onto part of my other query in main thread as below:
question 1. can you advise on below ?
I have been playing around with the gpo order of preference via the following:
- linked group policy objects
- group policy inheritance
as they are numbered 1, 2, 3 etc im not really understanding what this does, although I assume precedence order 1 will take priority or if added to the bottom ie 3, 2, 1 then precedence 1 still takes priority instead of 3.
question 1. can you advise on below ?
I have been playing around with the gpo order of preference via the following:
- linked group policy objects
- group policy inheritance
as they are numbered 1, 2, 3 etc im not really understanding what this does, although I assume precedence order 1 will take priority or if added to the bottom ie 3, 2, 1 then precedence 1 still takes priority instead of 3.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi,
just to remind you as i have multiple 'ou & groups' as per main screenshot.
for example if i select:
ou - fileprinter server (all domain member servers are exacly as below)
link order tab - predence order:
fileserver - 1 - highest priority
fileusers - 2 - lowest priority
gpo inheritance tab - precedence order:
fileserver - 1 - highest priority
fileusers - 2 - 2nd lowest priority
default domain policy - 3 - lowest priority
--------------------------
ou - windows7users (win 7 & xp are exactly as below)
linked order tab - precedence order:
win7pc - 1 - heighest priority
win7user - 2 - lowest priority
gpo inheritance tab - precedence order:
win7pc - 1 - heighest priority
win7user - 2 - 2nd lowest priority
default domain - 3 - lowest priority
just to remind you as i have multiple 'ou & groups' as per main screenshot.
for example if i select:
ou - fileprinter server (all domain member servers are exacly as below)
link order tab - predence order:
fileserver - 1 - highest priority
fileusers - 2 - lowest priority
gpo inheritance tab - precedence order:
fileserver - 1 - highest priority
fileusers - 2 - 2nd lowest priority
default domain policy - 3 - lowest priority
--------------------------
ou - windows7users (win 7 & xp are exactly as below)
linked order tab - precedence order:
win7pc - 1 - heighest priority
win7user - 2 - lowest priority
gpo inheritance tab - precedence order:
win7pc - 1 - heighest priority
win7user - 2 - 2nd lowest priority
default domain - 3 - lowest priority
That right
Mahesh
Mahesh
ASKER
hi i wanted to correct win 7 & laptop as below so ignore the previous and look at below as surely the gpo inheritance would be (win7users 1st) so that internet proxy settings take affect ?
ou - windows7users (win 7 & xp are exactly as below)
linked order tab - precedence order:
win7users - 1 - heighest priority
win7pc - 2 - lowest priority
gpo inheritance tab - precedence order:
win7users - 1 - heighest priority
win7pc - 2 - 2nd lowest priority
default domain - 3 - lowest priority
ou - windows7users (win 7 & xp are exactly as below)
linked order tab - precedence order:
win7users - 1 - heighest priority
win7pc - 2 - lowest priority
gpo inheritance tab - precedence order:
win7users - 1 - heighest priority
win7pc - 2 - 2nd lowest priority
default domain - 3 - lowest priority
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi mahesh,
you say:
"also if you look in details, you will come to know that you can't change gpo inheritance order."
- i slightly disagree, because if i click on: linked group policy objects i can change the precedence order & in turn then access 'group policy inheritance' and switch the 1 or or bottom number around.
"if you want to disable gpo inheritance, you need to select that ou in gpmc and right click and select "block inheritance."
- yes i can see as now resolved 'xp - internet/proxy' issue with your advice!!!! and now i can see how the precedence order works so now i can appreciate the 'block inheritance'.
"this will ensure that only polices applied to that ouU will get apply and up level domain policies will get blocked"
- ok
--------------------------
note: the following below:
xpusers
xp-pc
but in 'xpusers' - i have only configured the 'user config' for:
- folder redirection
- internet/proxy
- interval updates
but in 'xp-pc' - i have only configured the 'computer config' for:
- windows updates
- specify intranet microsoft update service location
- windows update frequency
- enable client-side targeting
so if the link order is as below:
linked group policy objects tab
xpusers - 1
xp-pc - 2
group policy inheritance tab
precedence order
xpusers - 1
xp-pc - 2
default domain policy - 3
question 1. my question then is, if the 'xpusers - 1' is the highest priority, how does the 'xp-pc - 2' integrate also the the following into the ou/gpo: ?
- windows updates
- windows update frequency
- set intranet ms update service location
i can only assume the xp - ou/gpo, integrates the following:
- default domain policy 3 - as it is the lowest priority it is absorbed 1st
- xp-pc - 2 - as it takes 2nd priority this is also then absorbed 2nd
- xp-users - 1 - as it takes 1st priority this is also absorbed 3rd but is actually the highest priority so this ensures the 'user config' is also added ie:
internet/proxy - for example ?
you say:
"also if you look in details, you will come to know that you can't change gpo inheritance order."
- i slightly disagree, because if i click on: linked group policy objects i can change the precedence order & in turn then access 'group policy inheritance' and switch the 1 or or bottom number around.
"if you want to disable gpo inheritance, you need to select that ou in gpmc and right click and select "block inheritance."
- yes i can see as now resolved 'xp - internet/proxy' issue with your advice!!!! and now i can see how the precedence order works so now i can appreciate the 'block inheritance'.
"this will ensure that only polices applied to that ouU will get apply and up level domain policies will get blocked"
- ok
--------------------------
note: the following below:
xpusers
xp-pc
but in 'xpusers' - i have only configured the 'user config' for:
- folder redirection
- internet/proxy
- interval updates
but in 'xp-pc' - i have only configured the 'computer config' for:
- windows updates
- specify intranet microsoft update service location
- windows update frequency
- enable client-side targeting
so if the link order is as below:
linked group policy objects tab
xpusers - 1
xp-pc - 2
group policy inheritance tab
precedence order
xpusers - 1
xp-pc - 2
default domain policy - 3
question 1. my question then is, if the 'xpusers - 1' is the highest priority, how does the 'xp-pc - 2' integrate also the the following into the ou/gpo: ?
- windows updates
- windows update frequency
- set intranet ms update service location
i can only assume the xp - ou/gpo, integrates the following:
- default domain policy 3 - as it is the lowest priority it is absorbed 1st
- xp-pc - 2 - as it takes 2nd priority this is also then absorbed 2nd
- xp-users - 1 - as it takes 1st priority this is also absorbed 3rd but is actually the highest priority so this ensures the 'user config' is also added ie:
internet/proxy - for example ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi again, one thing that has always confused me.
question 1. when i edit each gpo i access them directly below the:
domainname.local
but when i view below i see a folder called:
group policy objects - & in this folder it lists all gpo's where they can also be edited
question 1. should i edit each gpo directly below the 'domainname.local' or via 'group policy objects' ?
question 1. when i edit each gpo i access them directly below the:
domainname.local
but when i view below i see a folder called:
group policy objects - & in this folder it lists all gpo's where they can also be edited
question 1. should i edit each gpo directly below the 'domainname.local' or via 'group policy objects' ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
morning mahesh, i have one last question then this thread is definately closed.
question 1. i have created the following for the domain member servers but as i am only logging on with the 'domain administrator account', should i remove the the following for 'user config' ?
domainname.local
domain controller
- default domain controller policy
computer config:
- fileserver
user config:
- fileusers - shall i remove ?
computer config:
- isa2006server
user config:
- isa2006users - shall i remove ?
computer config:
- wsusserver
user config:
- wsususer - shall i remove ?
i will close and allocate points now and thanks for your patients and advice! appreciated.
question 1. i have created the following for the domain member servers but as i am only logging on with the 'domain administrator account', should i remove the the following for 'user config' ?
domainname.local
domain controller
- default domain controller policy
computer config:
- fileserver
user config:
- fileusers - shall i remove ?
computer config:
- isa2006server
user config:
- isa2006users - shall i remove ?
computer config:
- wsusserver
user config:
- wsususer - shall i remove ?
i will close and allocate points now and thanks for your patients and advice! appreciated.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
morning, when you gave me advice yesturday i did add the 'internet/proxy' details to each domain member server to ensure i could receive internet access which was successful, but most importantly remove..which you advised i should enable the 'internet/proxy' settings but leave it blank.
so when i ran: gpupdate /force on the dc, and rebooted and then logged onto the domain member servers, the internet/proxy details were also removed and no internet access was allowed. so that solved my problem.
- as a result of the above, i have currently now removed the 'internet/proxy' details so the domain member servers do not require internet access, hence my question about removing the 'domain member servers - user config' as nothing else is configured...
and as i am using the domain admin account and this has automatic privilege to logon anyway, i just assumed that 'user config' was able to be removed.......
unless i wanted the domain member servers to have internet access..other than that, i dont know of anything else that the 'user config' is required to keep..
- unless you know then please let me know ?
so when i ran: gpupdate /force on the dc, and rebooted and then logged onto the domain member servers, the internet/proxy details were also removed and no internet access was allowed. so that solved my problem.
- as a result of the above, i have currently now removed the 'internet/proxy' details so the domain member servers do not require internet access, hence my question about removing the 'domain member servers - user config' as nothing else is configured...
and as i am using the domain admin account and this has automatic privilege to logon anyway, i just assumed that 'user config' was able to be removed.......
unless i wanted the domain member servers to have internet access..other than that, i dont know of anything else that the 'user config' is required to keep..
- unless you know then please let me know ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
morning Mahesh,
all my domain member servers only 'had internet/proxy' configured via:
user config: - after confirming 'internet/proxy' was successful - I then removed. so no current use for: user config as far as I know.
if I wish to force 'internet/proxy' via whole domain, due to your advice I will access:
itsolutions.local
default domain policy - enable internet/proxy here or create and link a new gpo - as you advised. - I have tested this and yes it is successful, but now removed.
I have created an 'ou' for each domain member server so they are completely separate. each server: computer config: is identical.
note: one thing that I don't quite understand is when 'not to or to use - enforced' ?
otherwise all your advice is good.
all my domain member servers only 'had internet/proxy' configured via:
user config: - after confirming 'internet/proxy' was successful - I then removed. so no current use for: user config as far as I know.
if I wish to force 'internet/proxy' via whole domain, due to your advice I will access:
itsolutions.local
default domain policy - enable internet/proxy here or create and link a new gpo - as you advised. - I have tested this and yes it is successful, but now removed.
I have created an 'ou' for each domain member server so they are completely separate. each server: computer config: is identical.
note: one thing that I don't quite understand is when 'not to or to use - enforced' ?
otherwise all your advice is good.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi Mahesh, thanks for that clarity on the 'enforced'. I think I will select 'enforce' on each and everyone of my multiple ou's, even though they are part of the same single domain.
if I then wished to take control of the whole domain at least I can access the 'default domain policy' and overrule by precedence the 'internet/proxy' for example which will force or 'enforced multiple ous' to use a different 'internet/proxy' details - if I wish, even if each 'multiple ou/group has been 'enforced'.
for example - so thanks for that clarity.
if I then wished to take control of the whole domain at least I can access the 'default domain policy' and overrule by precedence the 'internet/proxy' for example which will force or 'enforced multiple ous' to use a different 'internet/proxy' details - if I wish, even if each 'multiple ou/group has been 'enforced'.
for example - so thanks for that clarity.
ASKER
sound advice!
Normally you would set global polices on top level (i.e. domain level) to enforced only if required so that individual OU policies if tried to overwrite global polices, they will not be able to do that.
Do not enforce OU level polices if same setting with different parameters are enforced through global polices.
It will create unnecessarily conflicts and then it will very difficult for trouble shoot and resolve issues
Try to keep GPO structure as simple as possible to avoid complications
Use "Enforce", "block inheritance" settings only if absolutely required
Mahesh
Do not enforce OU level polices if same setting with different parameters are enforced through global polices.
It will create unnecessarily conflicts and then it will very difficult for trouble shoot and resolve issues
Try to keep GPO structure as simple as possible to avoid complications
Use "Enforce", "block inheritance" settings only if absolutely required
Mahesh
ASKER
ok, so do not 'enforce' on multiple ou's if 'policies are of same setting' & just keep as simple as possible.
Ya, that's right
Thanks
Mahesh
Thanks
Mahesh
ASKER
just to clarify below comments:
"note that default domain controller policy is domain controller specific policy and should not \ never applied to domain level.
applying domain controller polices at domain level will simply creating malfunction and unnecessary results."
- normally i do not edit the built-in gpo for 'default domain policy'.
- normally i edit the 'default domain controller policy' and configure settings there - do you mean i should never configure anything in the 'default domain controller policy' and should configure gpo for the single domain in the 'default domain policy' ?