When to use default domain controllers policy?

G

Guest

Hello

We have a Win2003 AD domain. I'm wondering when it is appropriate to
implement Group Policy settings via the "default domain controller" policy
vs. the "default domain" policy?

I realize one is on the Domain Controller OU level and the other is at the
top of the domain, but I'm just curious if there are domain-wide security
settings that are best implemented only in the "default domain controller"
policy. Up to this point, I have left this policy alone (accepting the out
of the box defaults), and implemented our password policies, NTLM settings,
etc. in the "default domain" policy.

Does this jibe with current best practices?

Any input is helpful,

Steve T.
 
O

Oli Restorick [MVP]

Well, the NTLM settings is actually a good example. If you want to give your
DCs a certain policy (e.g. Send NTLM response only) and your other machines
a different policy, then that's the perfect opportunity to configure the
setting in both policies.

The idea of the default domain controller policy is that all DCs in a domain
are managed as a single entity and that you should not end up with different
DCs using different policies. This is the reason that it's not usually a
good idea to move DCs out of their default container.

Regards

Oli
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Default Domain Policy 2003 7
Default Domain Controllers Policy 8
domain controllers policy (not working) 2
"Default Domain Controllers Policy" is gone. Help!! 4
Default Domain Controller Policy and Default Domain Policy 7
Default Domain Policy -- Password Changes 1
2003 Group Policy Default Domain Policy 2
Default domain policy is corrupt! help 3

Top