Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 18
  • Last Modified:

Unsaved Default Domain Policy GPO settings applied while GPO editor still open

Had a very strange experience with Server 2012 R2 Group Policy this morning.  Last night, I opened the Default Domain Policy in the Group Policy Editor and made a change to Windows Settings\Security Settings\Local Policies\Security Options.  I enabled the setting "Network access: Do not allow stroage of passwords and credentials for network authentication", but I did not close the policy editor.

This morning, I received several calls that this setting appeared to be applied throughout the domain.  Correct me if I am wrong, but aren't GPO changes supposed to remain uncommitted until the GPO Editor window is closed?  Has anyone else seen this phenomenon?
0
Skip
Asked:
Skip
  • 4
4 Solutions
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Nope - GPO changes occur in realtime while the editor is opened.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Often, you will see a best practice for editing GPOs that states you should only create/edit unlinked GPOs.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Also - Advanced Group Policy Management (AGPM) has a check in/check out feature that allows you edit a GPO. To do so, you check it out first - it  makes a copy of the existing GPO, you edit it/test it/etc. When you check it back in, it replaces the first GPO with your new changes.
0
 
Adam BrownSr Solutions ArchitectCommented:
Also, Microsoft recommends not changing the Default Domain policy or Default Domain Controllers policy, since the settings in each are required for proper domain functioning. If you need to make setting changes, it's best to do so in a different GPO linked to the domain.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
question has been answered.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now