Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & ILM/FIM (It is just like an addiction, The more you have, the more you want to have!)

«
»

(2011-10-23) Best Practices For The Default Domain Policy And The Default Domain Controllers Policy GPOs

Posted by Jorge on 2011-10-23


Every AD domain since Windows 2000 Server implements two default GPOs being the “Default Domain Policy” GPO and the “Default Domain Controllers Policy” GPO.

-

With regards to the domain related GPOs the following are best practices:

-

With regards to the domain controllers related GPOs the following are best practices:

  • Create a separate “Custom Domain Controllers Policy” GPO and link that also to the domain controllers OU to be applied after the Default Domain Policy.
  • Use the “Custom Domain Controllers Policy” GPO for all non-default settings you require to use, except for the user rights settings.
  • For the user rights settings still use the “Default Domain Controllers Policy” GPO OR you need to duplicate all user rights from the “Default Domain Controllers Policy” GPO into the “Custom Domain Controllers Policy” GPO. However, when installing applications with Domain Admin or Enterprise Admin equivalent permissions, some of those applications may automatically edit the “Default Domain Controllers Policy” GPO  with regards to the user rights without any interaction. It is therefore better to still configure all user rights for domain controllers in the “Default Domain Controllers Policy” GPO. Because of this reason it is pointless to manage user rights settings in a “Custom Domain Controllers Policy” GPO.
  • You may need to create an additional GPO that only targets Branch Office DCs through group filtering or WMI filtering so that Branch Office DCs do not register domain-wide SRV records
  • You need to create an additional GPO that only targets the DC currently hosting the PDC FSMO role and any candidate DC to host the PDC FSMO role through WMI filtering. You can read more about that in “(2010-09-26) Configuring And Managing The Windows Time Service (Part 1)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 2)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 3)” and “(2010-09-26) Configuring And Managing The Windows Time Service (Part 4)”.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

About these ads

This entry was posted on 2011-10-23 at 22:49 and is filed under Active Directory Domain Services (ADDS), Group Policy Objects. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “(2011-10-23) Best Practices For The Default Domain Policy And The Default Domain Controllers Policy GPOs”

  1. Best Practice: Group Policy Design Guidelines – Part 2 said

    2011-10-24 at 07:43

    [...] Update: Here is another post I have found that confirms this http://jorgequestforknowledge.wordpress.com/2011/10/23/best-practices-for-the-default-domain-policy-… [...]

    Reply

  2. Eastern said

    2012-01-16 at 03:15

    Very clear in reason, excellent tip

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

«
»
 
%d bloggers like this: