When to use default domain controllers policy?

Toggle sidebar Toggle sidebar
S

steve

Distinguished
Sep 10, 2003
2,366
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello

We have a Win2003 AD domain. I'm wondering when it is appropriate to
implement Group Policy settings via the "default domain controller" policy
vs. the "default domain" policy?

I realize one is on the Domain Controller OU level and the other is at the
top of the domain, but I'm just curious if there are domain-wide security
settings that are best implemented only in the "default domain controller"
policy. Up to this point, I have left this policy alone (accepting the out
of the box defaults), and implemented our password policies, NTLM settings,
etc. in the "default domain" policy.

Does this jibe with current best practices?

Any input is helpful,

Steve T.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Well, the NTLM settings is actually a good example. If you want to give your
DCs a certain policy (e.g. Send NTLM response only) and your other machines
a different policy, then that's the perfect opportunity to configure the
setting in both policies.

The idea of the default domain controller policy is that all DCs in a domain
are managed as a single entity and that you should not end up with different
DCs using different policies. This is the reason that it's not usually a
good idea to move DCs out of their default container.

Regards

Oli


"Steve" <Steve@discussions.microsoft.com> wrote in message
news:5A484323-6332-4382-B6C0-2817A9253493@microsoft.com...
> Hello
>
> We have a Win2003 AD domain. I'm wondering when it is appropriate to
> implement Group Policy settings via the "default domain controller" policy
> vs. the "default domain" policy?
>
> I realize one is on the Domain Controller OU level and the other is at the
> top of the domain, but I'm just curious if there are domain-wide security
> settings that are best implemented only in the "default domain controller"
> policy. Up to this point, I have left this policy alone (accepting the
> out
> of the box defaults), and implemented our password policies, NTLM
> settings,
> etc. in the "default domain" policy.
>
> Does this jibe with current best practices?
>
> Any input is helpful,
>
> Steve T.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom