All,

Does anyone know what the effects are of disabling the
default domain policy at the domain level?

Thanks.

Hi Josh

Effect is that Domain wide policy doesn't apply. It's not a good thing to
do. Why the question?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (E-Mail Removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Josh" <(E-Mail Removed)> wrote in message
news:27f0f01c4645c$16bc3b20$(E-Mail Removed)...
> All,
>
> Does anyone know what the effects are of disabling the
> default domain policy at the domain level?
>
> Thanks.

Josh-
That's assuming of course, that there isn't another GPO linked to the
domain. I've had this conversation with some other folks before and there is
this "fear" that there is something magical about the Def. Domain Policy and
Def. DC Policy and that disabling them is bad. I haven't found that to be
the case. You just need to be aware of what the effects are, as Mark
indicates. If you set account policy, for example, through the Default
Domain Policy, and then you disable the DDP, that account policy won't be
undone--it just won't be change-able until you have another domain-linked
GPO available.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



"Mark Renoden [MSFT]" <(E-Mail Removed)> wrote in message
news:Obh%(E-Mail Removed)...
> Hi Josh
>
> Effect is that Domain wide policy doesn't apply. It's not a good thing to
> do. Why the question?
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: (E-Mail Removed)
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Josh" <(E-Mail Removed)> wrote in message
> news:27f0f01c4645c$16bc3b20$(E-Mail Removed)...
> > All,
> >
> > Does anyone know what the effects are of disabling the
> > default domain policy at the domain level?
> >
> > Thanks.
>
>

Well the reason I asked is because I have a domain were
the default domain policy is disabled and no policy is
linked to the domain. But there are still account lockout
after a certain amount of bad tries. Where is this policy
coming from?
>-----Original Message-----
>Josh-
>That's assuming of course, that there isn't another GPO
linked to the
>domain. I've had this conversation with some other folks
before and there is
>this "fear" that there is something magical about the
Def. Domain Policy and
>Def. DC Policy and that disabling them is bad. I haven't
found that to be
>the case. You just need to be aware of what the effects
are, as Mark
>indicates. If you set account policy, for example,
through the Default
>Domain Policy, and then you disable the DDP, that account
policy won't be
>undone--it just won't be change-able until you have
another domain-linked
>GPO available.
>
>--
>Darren Mar-Elia
>MS-MVP-Windows Management
>http://www.gpoguy.com
>
>
>
>"Mark Renoden [MSFT]" <(E-Mail Removed)>
wrote in message
>news:Obh%(E-Mail Removed)...
>> Hi Josh
>>
>> Effect is that Domain wide policy doesn't apply. It's
not a good thing to
>> do. Why the question?
>>
>> Kind regards
>> --
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: (E-Mail Removed)
>>
>> Please note you'll need to strip ".online" from my
email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties,
and confers no
>rights.
>>
>> "Josh" <(E-Mail Removed)> wrote in
message
>> news:27f0f01c4645c$16bc3b20$(E-Mail Removed)...
>> > All,
>> >
>> > Does anyone know what the effects are of disabling the
>> > default domain policy at the domain level?
>> >
>> > Thanks.
>>
>>
>
>
>.
>

Josh-
Whatever was sent down to the DCs is still in place. Account policy is
stored locally on the DC, and its not one of those policies that gets
"un-tattoo'd" when you remove the GPO. If you fire up the local GPO editor
(gpedit.msc) on one of those DCs, you'll see the effective policy.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



"Josh" <(E-Mail Removed)> wrote in message
news:29cce01c46509$dd55df40$(E-Mail Removed)...
> Well the reason I asked is because I have a domain were
> the default domain policy is disabled and no policy is
> linked to the domain. But there are still account lockout
> after a certain amount of bad tries. Where is this policy
> coming from?
> >-----Original Message-----
> >Josh-
> >That's assuming of course, that there isn't another GPO
> linked to the
> >domain. I've had this conversation with some other folks
> before and there is
> >this "fear" that there is something magical about the
> Def. Domain Policy and
> >Def. DC Policy and that disabling them is bad. I haven't
> found that to be
> >the case. You just need to be aware of what the effects
> are, as Mark
> >indicates. If you set account policy, for example,
> through the Default
> >Domain Policy, and then you disable the DDP, that account
> policy won't be
> >undone--it just won't be change-able until you have
> another domain-linked
> >GPO available.
> >
> >--
> >Darren Mar-Elia
> >MS-MVP-Windows Management
> >http://www.gpoguy.com
> >
> >
> >
> >"Mark Renoden [MSFT]" <(E-Mail Removed)>
> wrote in message
> >news:Obh%(E-Mail Removed)...
> >> Hi Josh
> >>
> >> Effect is that Domain wide policy doesn't apply. It's
> not a good thing to
> >> do. Why the question?
> >>
> >> Kind regards
> >> --
> >> Mark Renoden [MSFT]
> >> Windows Platform Support Team
> >> Email: (E-Mail Removed)
> >>
> >> Please note you'll need to strip ".online" from my
> email address to email
> >> me; I'll post a response back to the group.
> >>
> >> This posting is provided "AS IS" with no warranties,
> and confers no
> >rights.
> >>
> >> "Josh" <(E-Mail Removed)> wrote in
> message
> >> news:27f0f01c4645c$16bc3b20$(E-Mail Removed)...
> >> > All,
> >> >
> >> > Does anyone know what the effects are of disabling the
> >> > default domain policy at the domain level?
> >> >
> >> > Thanks.
> >>
> >>
> >
> >
> >.
> >