Unsaved Default Domain Policy GPO settings applied while GPO editor still open

Posted on 2016-10-20
Last Modified: 2016-11-08
Had a very strange experience with Server 2012 R2 Group Policy this morning.  Last night, I opened the Default Domain Policy in the Group Policy Editor and made a change to Windows Settings\Security Settings\Local Policies\Security Options.  I enabled the setting "Network access: Do not allow stroage of passwords and credentials for network authentication", but I did not close the policy editor.

This morning, I received several calls that this setting appeared to be applied throughout the domain.  Correct me if I am wrong, but aren't GPO changes supposed to remain uncommitted until the GPO Editor window is closed?  Has anyone else seen this phenomenon?
Question by:Skip
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
LVL 22

Accepted Solution

Joseph Moody earned 400 total points (awarded by participants)
ID: 41852198
Nope - GPO changes occur in realtime while the editor is opened.
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 400 total points (awarded by participants)
ID: 41852200
Often, you will see a best practice for editing GPOs that states you should only create/edit unlinked GPOs.
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 400 total points (awarded by participants)
ID: 41852207
Also - Advanced Group Policy Management (AGPM) has a check in/check out feature that allows you edit a GPO. To do so, you check it out first - it  makes a copy of the existing GPO, you edit it/test it/etc. When you check it back in, it replaces the first GPO with your new changes.
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 100 total points (awarded by participants)
ID: 41852420
Also, Microsoft recommends not changing the Default Domain policy or Default Domain Controllers policy, since the settings in each are required for proper domain functioning. If you need to make setting changes, it's best to do so in a different GPO linked to the domain.
LVL 22

Expert Comment

by:Joseph Moody
ID: 41878462
question has been answered.

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question