Applying Selected Domain and Domain Controller Policy Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

The changed security policy settings that are recommended in this chapter apply to either the Default Domain Policy or the Default Domain Controllers Policy. After you have selected the list of settings that you want to update for your deployment, based on business considerations and the requirements for your environment, the method that you use to make the necessary changes depends on the specific policy or settings that you want to update.

To accommodate APIs from previous versions of the operating system that make changes directly to default GPOs, changes to the following security policy settings must be made directly in the Default Domain Policy GPO or in the Default Domain Controllers Policy GPO:

  • Default Domain Security Policy Settings:

    • Password Policy

    • Domain Account Lockout Policy

    • Domain Kerberos Policy

  • Default Domain Controller Security Policy Settings:

    • User Rights Assignment Policy

    • Audit Policy

Table 22 lists the Active Directory locations where the default policies are applied, the type of settings in each default policy, and the method for applying the recommended changes to the Group Policy settings.

Table 22  Methods for Applying Changed Group Policy Settings

Location Where Policy is Applied Policy Settings Being Changed How to Apply the Changed Settings in Policy

Domain root

Domain security policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy)

Make all changes to Security Settings in the Default Domain Policy GPO.

Domain Controllers OU

User Rights Assignment

Make all changes to Security Settings in the Default Domain Controllers Policy GPO.

Domain Controllers OU

Audit

Make all changes to Security Settings in the Default Domain Controllers Policy .

Domain Controllers OU

Event Log

Create a new GPO, and link this GPO above the Default Domain Controllers Policy GPO.

Domain Controllers OU

Security Options

Create a new GPO, and link this GPO above the Default Domain Controllers Policy GPO.

When a new Windows Server 2003 domain is created, Active Directory creates a built-in, protected OU, called the Domain Controllers OU, directly under the domain root. Active Directory places the new domain controller computer account in this special OU. As additional domain controllers are promoted, the corresponding computer accounts are also placed in the Domain Controllers OU.

As a best practice, keep all domain controller computer accounts in the default Domain Controllers OU to ensure that domain-controller-specific Group Policy settings are consistently applied to all domain controllers in the domain.

Modifying the Settings in the Default Domain Policy GPO and the Default Domain Controllers Policy GPO

Apply changes directly in the Default Domain Policy GPO for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. Apply changes directly in the Default Domain Controllers Policy OU GPO for User Rights Assignment Policy settings and Audit Policy settings.

Update the Default Domain Policy GPO and the Default Domain Controllers Policy GPO by following the procedure “Updating the Default Domain Policy GPO and the Default Domain Controllers Policy GPO” in Appendix: Procedures later in this guide.

Applying a New Group Policy Object to the Domain Controllers OU

As a best practice, create and link a new GPO above the default policy when you want to apply changed policy settings to the entire domain or to all domain controllers, with the exception of the policies listed earlier that must be changed directly in the default policy. The advantage of this approach is that if a problem is encountered because of the changed settings, the new GPO can be easily backed out, restoring the original policy settings.

Apply the changed policy settings to the Domain Controllers OU through a new GPO by following the procedure “Creating a New GPO on the Domain Controllers OU and Changing its Precedence” in Appendix: Procedures later in this guide.