Ping a Specific Port

Question

newmanth

Asked: 2012-01-03 10:39:36 +0800 CST2012-01-03 10:39:36 +0800 CST 2012-01-03 10:39:36 +0800 CST

What Group Policy settings MUST be set within the Default Domain Policy?

772

Does anyone have an authoritative source of policies that, if set, MUST be set within the Default Domain Policy (if one chooses to set them)? Off the top of my head, I know that password policies and certain user session policies must be set within the Default Domain Policy. I'm doing a cleanup of our Domain GPOs and trying to separate any GPs that can be set outside the default...

To clarify, I am not asking what policies must be set, I am asking which policies, should I choose to set them, must be set within the Default Domain Policy.

4 Answers

Voted

Evan Anderson · Answer 1 · 2012-01-03T14:34:36+08:00

The settings you're looking for are enumerated in Group Policy application rules for domain controllers, insofar as how Domain Controller (DC) computers apply Group Policy Object (GPO) settings that are set at the domain level. You don't necessarily need to specify these settings in the "Default Domain Policy" (and, indeed, I would recommend not modifying the "Default Domain Policy"). Rather, the resultant set of these settings, based on the link order of the GPOs at the root of the domain, determines the effective setting the DCs will apply.

The settings include the following for all Active Directory DCs.

Account Policies
Security Options settings: "Automatically log off users when logon time expires", "Rename administrator account", and "Rename guest account".

Windows Server 2003-based DCs (and, presumably, Windows Server 2008 and 2008 R2-based DCs) will also apply the Security Options settings:

Accounts: Administrator account status
Accounts: Guest account status
Accounts: Rename administrator account
Accounts: Rename guest account
Network security: Force logoff when logon hours expire

Tyler Kramer · Answer 2 · 2013-04-11T22:19:54+08:00

Tyler Kramer

2013-04-11T22:19:54+08:002013-04-11T22:19:54+08:00

According to Microsoft training books the Default Domain Policy should only contain settings for password,account lockout, and kerberos policies. The Default domain controllers policy should contain your auditing policies.

0

Patrick Massie · Answer 3 · 2013-09-01T03:40:26+08:00

Patrick Massie

2013-09-01T03:40:26+08:002013-09-01T03:40:26+08:00

Changes in settings to domain security policy should always be made to the Default Domain Policy GPO.

Changes in settings to domain controller security policy for User Rights Assignment and Audit Policy must be made to the default GPO, rather than to a newly created GPO.

Default Domain Policy: Password Policy, Account Lockout Policy, Kerberos Policy.

Default Domain Controllers Policy: Audit Policy, User Rights Assignment, Security Options, Event Log Policy.

Applies To: Windows Server 2003/2008 & R2

0

Jim B · Answer 4 · 2012-01-03T13:51:30+08:00

Jim B

2012-01-03T13:51:30+08:002012-01-03T13:51:30+08:00

There are no settings that are required to be defined in the default domain policy. In fact it's best practice not to touch the default domain policy and the default domain controllers policy.

-1

What Group Policy settings MUST be set within the Default Domain Policy?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?