Options

Default Dom Policy vs Custom Dom Policy - thoughts?

Bob_the_GoonBob_the_Goon Member Posts: 40 ■■□□□□□□□□
in Off-Topic
Just wondering what server admins do in the real world r.e. default domain policies? Do you configure the out of the box "Default dom policy" or do you make your own GPO and apply it to the domain? Any pros and cons for either way?
· Share on FacebookShare on Twitter

Comments

  • Options
    EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    IMO, you shouldnt mess with the Default Domain Policy. The settings you configure here are applied en masse, including domain controllers, unless you have other settings in other GPos that override them.

    I wanted to write more, but have an exam tomorrow >> icon_study.gificon_study.gif
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
    · Share on FacebookShare on Twitter
  • Options
    Bob_the_GoonBob_the_Goon Member Posts: 40 ■■□□□□□□□□
    But if you linked the custom dom GPO to the domain itself e.g. contoso.com, wouldn't this apply these settings to the DCs anyway?
    · Share on FacebookShare on Twitter
  • Options
    EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    Yeah it would. Why I prefer a custom Domain GPO is that if you mess up then atleast you have your Default Domain Policy in pristine condition. So have it at the top of the order of GPOs linked to the OU.

    I have this good article bookmarked. Best Practices for Designing Group Policy
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
    · Share on FacebookShare on Twitter
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    It also makes things a bit easier to manage if you create GPOs for one, or a small group of related settings, instead of just configuring everything in a single policy. It's pretty obvious to tell what "Software Restriction Policies" is, as opposed to having to sort through a single GPO and figure out everything that's set there.
    · Share on FacebookShare on Twitter
  • Options
    Bob_the_GoonBob_the_Goon Member Posts: 40 ■■□□□□□□□□
    Cool. Sometimes you're just unsure of what's the best way of doing things in the real world. Thanks for the link.
    · Share on FacebookShare on Twitter
  • Options
    HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Some settings however cannot be applied unless they're in the default domain policy. Password policies are an example.
    Good luck to all!
    · Share on FacebookShare on Twitter
  • Options
    RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    HeroPsycho wrote: »
    Some settings however cannot be applied unless they're in the default domain policy. Password policies are an example.

    Password policies can be applied using other policies as long as they at the domain root. I've done it.
    · Share on FacebookShare on Twitter
  • Options
    HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    RTmarc wrote: »
    Password policies can be applied using other policies as long as they at the domain root. I've done it.

    To accommodate APIs from previous versions of the operating system that make changes directly to default GPOs, changes to the following security policy settings must be made directly in the Default Domain Policy GPO or in the Default Domain Controllers Policy GPO:
    • Default Domain Security Policy Settings:

      • Password Policy
      • Domain Account Lockout Policy
      • Domain Kerberos Policy
    • Default Domain Controller Security Policy Settings:

      • User Rights Assignment Policy
      • Audit Policy


    Applying Selected Domain and Domain Controller Policy Settings
    Good luck to all!
    · Share on FacebookShare on Twitter
  • Options
    Hyper-MeHyper-Me Banned Posts: 2,059
    Password policy is the only thing ive ever changed in the DDP.

    Its just a good idea to leave it alone except for the instances that psycho posted.
    · Share on FacebookShare on Twitter
  • Options
    royalroyal Member Posts: 3,352 ■■■■□□□□□□
    HeroPsycho wrote: »
    Some settings however cannot be applied unless they're in the default domain policy. Password policies are an example.

    Not entirely true although I know what you are saying.

    Password policies can be applied anywhere. Domain user accounts will only apply password policies at the root. Domain joined machines will still apply password policies located anywhere but they will only apply to local user accounts.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • Options
    HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    royal wrote: »
    Not entirely true although I know what you are saying.

    Password policies can be applied anywhere. Domain user accounts will only apply password policies at the root. Domain joined machines will still apply password policies located anywhere but they will only apply to local user accounts.

    I know what you're saying, but technically, domain users can get password policies other than from the root with fine grained password policies feature in Windows 2008. :D

    BYAAAAAAAAAAH!
    Good luck to all!
    · Share on FacebookShare on Twitter
  • Options
    blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    RTmarc wrote: »
    Password policies can be applied using other policies as long as they at the domain root. I've done it.

    You "can"... And things can get messed up doing it there too... eventually. I've done it.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
    · Share on FacebookShare on Twitter
  • Options
    RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    blargoe wrote: »
    You "can"... And things can get messed up doing it there too... eventually. I've done it.

    You're right. It is certainly not a best practice but it can be done.
    · Share on FacebookShare on Twitter
  • Options
    HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    RTmarc wrote: »
    You're right. It is certainly not a best practice but it can be done.

    But you shouldn't do it. icon_wink.gif
    Good luck to all!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.