TL;DR: See title.
Background: Back in the "old days", we did a lot of bad things: We used the same server for Active Directory and other services (anyone remember Windows Small Business Server?), and did not follow best practices with respect to Group Policies.
Fortunately, those days are over, but we still use the same Active Directory domain as back then. We recently noticed that the "Default Domain Controller Policy" contains entries which are obviously no longer correct (as the most striking example, regular users and outdated service accounts can log on locally to our domain controllers). I'd like to "clean up" the policy and make sure that we follow up-to-date security recommendations.
I know that it's possible to reset this policy with dcgpofix.exe
, but I'm afraid of breaking something by doing that. Instead, I'd like to
- compare each current setting of the "Default Domain Controller Policy" with the default setting,
- make sure I understand what this setting does, and
- then reset it to the default setting if I'm sure that the modification is no longer needed.
To do that, however, I need to see the default "Default Domain Controller Policy", and a Google search on this fails me (probably due to the double meaning of "default" in this context). Hence my question:
What are the default settings for the "Default Domain Controller Policy" in a newly created Active Directory domain?