Sign in with
Sign up | Sign in
Your question

Disabling the Default Domain Policy

Last response: in Windows 2000/NT
Share
July 7, 2004 4:53:35 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

All,

Does anyone know what the effects are of disabling the
default domain policy at the domain level?

Thanks.
Anonymous
July 8, 2004 12:08:30 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Josh

Effect is that Domain wide policy doesn't apply. It's not a good thing to
do. Why the question?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Josh" <anonymous@discussions.microsoft.com> wrote in message
news:27f0f01c4645c$16bc3b20$a601280a@phx.gbl...
> All,
>
> Does anyone know what the effects are of disabling the
> default domain policy at the domain level?
>
> Thanks.
Anonymous
July 8, 2004 12:08:31 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Josh-
That's assuming of course, that there isn't another GPO linked to the
domain. I've had this conversation with some other folks before and there is
this "fear" that there is something magical about the Def. Domain Policy and
Def. DC Policy and that disabling them is bad. I haven't found that to be
the case. You just need to be aware of what the effects are, as Mark
indicates. If you set account policy, for example, through the Default
Domain Policy, and then you disable the DDP, that account policy won't be
undone--it just won't be change-able until you have another domain-linked
GPO available.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:o bh%2307GZEHA.728@TK2MSFTNGP09.phx.gbl...
> Hi Josh
>
> Effect is that Domain wide policy doesn't apply. It's not a good thing to
> do. Why the question?
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Josh" <anonymous@discussions.microsoft.com> wrote in message
> news:27f0f01c4645c$16bc3b20$a601280a@phx.gbl...
> > All,
> >
> > Does anyone know what the effects are of disabling the
> > default domain policy at the domain level?
> >
> > Thanks.
>
>
Related resources
July 8, 2004 1:37:31 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Well the reason I asked is because I have a domain were
the default domain policy is disabled and no policy is
linked to the domain. But there are still account lockout
after a certain amount of bad tries. Where is this policy
coming from?
>-----Original Message-----
>Josh-
>That's assuming of course, that there isn't another GPO
linked to the
>domain. I've had this conversation with some other folks
before and there is
>this "fear" that there is something magical about the
Def. Domain Policy and
>Def. DC Policy and that disabling them is bad. I haven't
found that to be
>the case. You just need to be aware of what the effects
are, as Mark
>indicates. If you set account policy, for example,
through the Default
>Domain Policy, and then you disable the DDP, that account
policy won't be
>undone--it just won't be change-able until you have
another domain-linked
>GPO available.
>
>--
>Darren Mar-Elia
>MS-MVP-Windows Management
>http://www.gpoguy.com
>
>
>
>"Mark Renoden [MSFT]" <markreno@online.microsoft.com>
wrote in message
>news:o bh%2307GZEHA.728@TK2MSFTNGP09.phx.gbl...
>> Hi Josh
>>
>> Effect is that Domain wide policy doesn't apply. It's
not a good thing to
>> do. Why the question?
>>
>> Kind regards
>> --
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: markreno@online.microsoft.com
>>
>> Please note you'll need to strip ".online" from my
email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties,
and confers no
>rights.
>>
>> "Josh" <anonymous@discussions.microsoft.com> wrote in
message
>> news:27f0f01c4645c$16bc3b20$a601280a@phx.gbl...
>> > All,
>> >
>> > Does anyone know what the effects are of disabling the
>> > default domain policy at the domain level?
>> >
>> > Thanks.
>>
>>
>
>
>.
>
Anonymous
July 8, 2004 3:07:04 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Josh-
Whatever was sent down to the DCs is still in place. Account policy is
stored locally on the DC, and its not one of those policies that gets
"un-tattoo'd" when you remove the GPO. If you fire up the local GPO editor
(gpedit.msc) on one of those DCs, you'll see the effective policy.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



"Josh" <anonymous@discussions.microsoft.com> wrote in message
news:29cce01c46509$dd55df40$a301280a@phx.gbl...
> Well the reason I asked is because I have a domain were
> the default domain policy is disabled and no policy is
> linked to the domain. But there are still account lockout
> after a certain amount of bad tries. Where is this policy
> coming from?
> >-----Original Message-----
> >Josh-
> >That's assuming of course, that there isn't another GPO
> linked to the
> >domain. I've had this conversation with some other folks
> before and there is
> >this "fear" that there is something magical about the
> Def. Domain Policy and
> >Def. DC Policy and that disabling them is bad. I haven't
> found that to be
> >the case. You just need to be aware of what the effects
> are, as Mark
> >indicates. If you set account policy, for example,
> through the Default
> >Domain Policy, and then you disable the DDP, that account
> policy won't be
> >undone--it just won't be change-able until you have
> another domain-linked
> >GPO available.
> >
> >--
> >Darren Mar-Elia
> >MS-MVP-Windows Management
> >http://www.gpoguy.com
> >
> >
> >
> >"Mark Renoden [MSFT]" <markreno@online.microsoft.com>
> wrote in message
> >news:o bh%2307GZEHA.728@TK2MSFTNGP09.phx.gbl...
> >> Hi Josh
> >>
> >> Effect is that Domain wide policy doesn't apply. It's
> not a good thing to
> >> do. Why the question?
> >>
> >> Kind regards
> >> --
> >> Mark Renoden [MSFT]
> >> Windows Platform Support Team
> >> Email: markreno@online.microsoft.com
> >>
> >> Please note you'll need to strip ".online" from my
> email address to email
> >> me; I'll post a response back to the group.
> >>
> >> This posting is provided "AS IS" with no warranties,
> and confers no
> >rights.
> >>
> >> "Josh" <anonymous@discussions.microsoft.com> wrote in
> message
> >> news:27f0f01c4645c$16bc3b20$a601280a@phx.gbl...
> >> > All,
> >> >
> >> > Does anyone know what the effects are of disabling the
> >> > default domain policy at the domain level?
> >> >
> >> > Thanks.
> >>
> >>
> >
> >
> >.
> >
!