Solved

Unsaved Default Domain Policy GPO settings applied while GPO editor still open

Posted on 2016-10-20
5
8 Views
Last Modified: 2016-11-08
Had a very strange experience with Server 2012 R2 Group Policy this morning.  Last night, I opened the Default Domain Policy in the Group Policy Editor and made a change to Windows Settings\Security Settings\Local Policies\Security Options.  I enabled the setting "Network access: Do not allow stroage of passwords and credentials for network authentication", but I did not close the policy editor.

This morning, I received several calls that this setting appeared to be applied throughout the domain.  Correct me if I am wrong, but aren't GPO changes supposed to remain uncommitted until the GPO Editor window is closed?  Has anyone else seen this phenomenon?
0
Comment
Question by:Skip
  • 4
5 Comments
 
LVL 21

Accepted Solution

by:
Joseph Moody earned 400 total points (awarded by participants)
ID: 41852198
Nope - GPO changes occur in realtime while the editor is opened.
0
 
LVL 21

Assisted Solution

by:Joseph Moody
Joseph Moody earned 400 total points (awarded by participants)
ID: 41852200
Often, you will see a best practice for editing GPOs that states you should only create/edit unlinked GPOs.
0
 
LVL 21

Assisted Solution

by:Joseph Moody
Joseph Moody earned 400 total points (awarded by participants)
ID: 41852207
Also - Advanced Group Policy Management (AGPM) has a check in/check out feature that allows you edit a GPO. To do so, you check it out first - it  makes a copy of the existing GPO, you edit it/test it/etc. When you check it back in, it replaces the first GPO with your new changes.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 100 total points (awarded by participants)
ID: 41852420
Also, Microsoft recommends not changing the Default Domain policy or Default Domain Controllers policy, since the settings in each are required for proper domain functioning. If you need to make setting changes, it's best to do so in a different GPO linked to the domain.
0
 
LVL 21

Expert Comment

by:Joseph Moody
ID: 41878462
question has been answered.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now