<div>
<a href="https://filedb.experts-exchange.com/incoming/2019/10_w40/1433129/Default_Domain_Controller_Policy.png" target="_blank" title="Default_Domain_Controller_Policy.png (71 KB)"><img alt="Default_Domain_Controller_Policy.png" class="file-block lazyload" style="max-width: 800px;" data-src="https://filedb.experts-exchange.com/incoming/2019/10_w40/800_1433129/Default_Domain_Controller_Policy.png" /></a><br />
What if you rightclick e.g. DNS and click run as administrator?<br />
<br />
HTH
</div>


Default_Domain_Controller_Policy.pnghttps://filedb.experts-exchange.com/incoming/2019/10_w40/1433129/Default_Domain_Controller_Policy.png
What if you rightclick e.g. DNS and click run as administrator?

HTH

Default_Domain_Controller_Policy.png

<div>
I'm not 100% sure this is the defaults on this site but these are the recommended settings that should be set on both of the default policies.<br />
<br />
The sure way to check is to stand up a lab with a new domain to see the default settings.<br />
<br />
<a href="https://adsecurity.org/?p=3377" rel="ugc">https://adsecurity.org/?p=3377</a><br />
<br />
I would however recommend tracking down what the issue is rather than think it's a default policy issue as any number of policies could still be applying a setting that is causing the problems.
</div>


I'm not 100% sure this is the defaults on this site but these are the recommended settings that should be set on both of the default policies.

The sure way to check is to stand up a lab with a new domain to see the default settings.

https://adsecurity.org/?p=3377 [https://adsecurity.org/?p=3377]

I would however recommend tracking down what the issue is rather than think it's a default policy issue as any number of policies could still be applying a setting that is causing the problems.

<div>
more importantly, what's the errror you're getting when you try to open it?
</div>


more importantly, what's the errror you're getting when you try to open it?

<div>
Hi Patrick,<br />
<br />
when I logon with my personal domain admin to the DC this works.<br />
<br />
When I try to open DNS with right click, open as administrator, I have to enter my creds again.<br />
<br />
see the picture<br />
<br />
<a href="https://filedb.experts-exchange.com/incoming/2019/10_w40/1433134/failed-logon.PNG" target="_blank" title="logon (3 KB)"><img alt="logon" class="file-block lazyload" style="max-width: 426px;" data-src="https://filedb.experts-exchange.com/incoming/2019/10_w40/1433134/failed-logon.PNG" /></a>
</div>


Hi Patrick,

when I logon with my personal domain admin to the DC this works.

When I try to open DNS with right click, open as administrator, I have to enter my creds again.

see the picture

logonhttps://filedb.experts-exchange.com/incoming/2019/10_w40/1433134/failed-logon.PNG

failed-logon.PNG

Hi Alex,

errorhttps://filedb.experts-exchange.com/incoming/2019/10_w40/1433135/failed-logon.PNG

<div>
Someone has denied logging on locally or something by the looks of it.<br />
<br />
Go into the event log and check the security log, let me know the details of the failure in there.
</div>


Someone has denied logging on locally or something by the looks of it.

Go into the event log and check the security log, let me know the details of the failure in there.

<div>
Hi Alex,<br />
<br />
cannot open the security log, access denied. :-(
</div>


Hi Alex,

cannot open the security log, access denied. :-(

<div>
hahahahaha<br />
<br />
What have you done to that default domain policy????<br />
<br />
Whoever changed it, could you ask them what they changed or anything? I mean realistically you would hope they took a backup of the policy before they broke it in such a way.
</div>


hahahahaha

What have you done to that default domain policy????

Whoever changed it, could you ask them what they changed or anything? I mean realistically you would hope they took a backup of the policy before they broke it in such a way.

<div>
yes really strange.<br />
I am a domain admin and cannot open the security log.<br />
<br />
I have to solve this crap and nobody did anything, like always :-)
</div>


yes really strange.
I am a domain admin and cannot open the security log.

I have to solve this crap and nobody did anything, like always :-)

<div>
Ok<br />
<br />
Run this <br />
<br />
Gpresult /h c:\temp\results.html <br />
<br />
PM it to me as is. I understand it'll have domains etc in there but I need to see it before I can even try to understand what has happened.<br />
<br />
Are you sure that the default domain policy was in fact modified. Everything points to a GPO issue but obviously I need to verify.<br />
<br />
Regards<br />
Alex
</div>


Ok

Run this

Gpresult /h c:\temp\results.html

PM it to me as is. I understand it'll have domains etc in there but I need to see it before I can even try to understand what has happened.

Are you sure that the default domain policy was in fact modified. Everything points to a GPO issue but obviously I need to verify.

Regards
Alex

System Architect

Eprs_Admin

A lack of information provides a lack of a decent solution.

Alex

<div>
I've never seen that command before, Nice!
</div>


I've never seen that command before, Nice!

<div>
Thanks, I will try the fix.
</div>


<div>
<div class="content wysiwyg-content">
Hi Experts,<br />
<br />
I need some advise about the DefaultDomainControllerPol<wbr />icy (DDCP).<br />
<br />
At one customer I have seen, this policy was edited.<br />
And of course they have some strange behaviors here with logon of personal domain admin users.<br />
I have a named domain admin user, but I am not able to open DNS or AD or anything else from the administrative tools.<br />
<br />
Can you show me the defaults of the DDCP ?
</div>
</div>


Hi Experts,

I need some advise about the DefaultDomainControllerPolicy (DDCP).

At one customer I have seen, this policy was edited.
And of course they have some strange behaviors here with logon of personal domain admin users.
I have a named domain admin user, but I am not able to open DNS or AD or anything else from the administrative tools.

Can you show me the defaults of the DDCP ?

Default Domain COntroller Policy issues

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Windows 10 is a personal computer operating system featuring the "universal application architecture" (UAP); apps can be designed to run across multiple devices with nearly identical code, including PCs, tablets, smartphones, embedded systems, Xbox One, Surface Hub and HoloLens. Windows 10 also includes a virtual desktop system, a window and desktop management feature called Task View, the Microsoft Edge web browser, support for fingerprint and face recognition login, voice-based search (Cortana), new security features for enterprise environments, and DirectX 12 and WDDM 2.0 to improve the operating system's graphics capabilities for games.

Windows 10

Microsoft Azure is a cloud computing platform and infrastructure for building, deploying and managing applications and services through datacenters. It provides both platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) services and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems. Cloud Services is a PaaS environment and can be used to create scalable applications and services; there are specific software development kits (SDKs) provided by Microsoft for Python, Java, Node.js and .NET. Azure also has file and storage services, data management, analytics and DNS services.

Azure

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Windows Server 2012

Windows Server 2016 is the successor to Windows Server 2012 R2. Built upon the same core code as Windows 10, Windows Server 2016 brings enhancements in security, servicing, and connectivity. A particular focus on this release was hybrid-cloud scenarios, and has close ties to Azure and other Microsoft cloud initiatives. This does not detract from the many improvements that are available for on-premises-only deployments

Windows Server 2016 comes in Datacenter, Standard, and Essentials editions, and for servicing, has adopted windows 10's cumulative model. The new nano-server install is designed to be remotely managed and is designed to be kept current through continuous feature updates. The full GUI install operates similarly to windows 10's "Long Term Servicing Branch" (LTSB) model with cumulative security updates.

Windows Server 2016 has also shifted from a per-processor-and-CAL licensing model to a per-core-and CAL licensing model. This brings Windows Server's licensing more in line with Microsoft's other products and makes hybrid-cloud license planning easier as well.