Disabling the Default Domain Policy


J

Josh

All,

Does anyone know what the effects are of disabling the
default domain policy at the domain level?

Thanks.
 
Ad

Advertisements

M

Mark Renoden [MSFT]

Hi Josh

Effect is that Domain wide policy doesn't apply. It's not a good thing to
do. Why the question?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
D

Darren Mar-Elia

Josh-
That's assuming of course, that there isn't another GPO linked to the
domain. I've had this conversation with some other folks before and there is
this "fear" that there is something magical about the Def. Domain Policy and
Def. DC Policy and that disabling them is bad. I haven't found that to be
the case. You just need to be aware of what the effects are, as Mark
indicates. If you set account policy, for example, through the Default
Domain Policy, and then you disable the DDP, that account policy won't be
undone--it just won't be change-able until you have another domain-linked
GPO available.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Mark Renoden said:
Hi Josh

Effect is that Domain wide policy doesn't apply. It's not a good thing to
do. Why the question?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Josh said:
All,

Does anyone know what the effects are of disabling the
default domain policy at the domain level?

Thanks.
 
J

Josh

Well the reason I asked is because I have a domain were
the default domain policy is disabled and no policy is
linked to the domain. But there are still account lockout
after a certain amount of bad tries. Where is this policy
coming from?
-----Original Message-----
Josh-
That's assuming of course, that there isn't another GPO linked to the
domain. I've had this conversation with some other folks before and there is
this "fear" that there is something magical about the Def. Domain Policy and
Def. DC Policy and that disabling them is bad. I haven't found that to be
the case. You just need to be aware of what the effects are, as Mark
indicates. If you set account policy, for example, through the Default
Domain Policy, and then you disable the DDP, that account policy won't be
undone--it just won't be change-able until you have another domain-linked
GPO available.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Hi Josh

Effect is that Domain wide policy doesn't apply. It's not a good thing to
do. Why the question?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties,
and confers no
rights.

.
 
Ad

Advertisements

D

Darren Mar-Elia

Josh-
Whatever was sent down to the DCs is still in place. Account policy is
stored locally on the DC, and its not one of those policies that gets
"un-tattoo'd" when you remove the GPO. If you fire up the local GPO editor
(gpedit.msc) on one of those DCs, you'll see the effective policy.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Josh said:
Well the reason I asked is because I have a domain were
the default domain policy is disabled and no policy is
linked to the domain. But there are still account lockout
after a certain amount of bad tries. Where is this policy
coming from?
-----Original Message-----
Josh-
That's assuming of course, that there isn't another GPO linked to the
domain. I've had this conversation with some other folks before and there is
this "fear" that there is something magical about the Def. Domain Policy and
Def. DC Policy and that disabling them is bad. I haven't found that to be
the case. You just need to be aware of what the effects are, as Mark
indicates. If you set account policy, for example, through the Default
Domain Policy, and then you disable the DDP, that account policy won't be
undone--it just won't be change-able until you have another domain-linked
GPO available.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Hi Josh

Effect is that Domain wide policy doesn't apply. It's not a good thing to
do. Why the question?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties,
and confers no
rights.
All,

Does anyone know what the effects are of disabling the
default domain policy at the domain level?

Thanks.

.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top