Updating the Default Domain Policy GPO and the Default Domain Controllers Policy GPO
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
This procedure modifies either default domain-level Group Policy or the default Domain Controllers OU–level Group Policy.
Requirements
Credentials: Domain Admins
Tools: Domain Controller Security Policy or Domain Security Policy (Administrative Tools)
Important
Changes in settings to domain security policy should always be made to the Default Domain Policy GPO. Changes in settings to domain controller security policy for User Rights Assignment and Audit Policy must be made to the default GPO, rather than to a newly created GPO.
Table 44 contains information about the policies and settings that you can use to update the default GPOs that apply to the domain and to the Domain Controllers OU.
Table 44 Policy Settings for the Default GPOs
| Default GPO | Where Policy Is Applied | Recommended Policy Settings |
|---|---|---|
Default Domain Policy, Account Policies node |
Domain root |
|
Default Domain Controllers Policy, Local Policies node |
Domain Controllers OU |
To edit security settings in the Default Domain Policy GPO or the Default Domain Controller Policy GPO
Log on with Domain Admins credentials, and then open either Domain Controller Security Policy or Domain Security Policy.
In the console tree, under Security Settings, double-click Account Policies or Local Policies, depending on which node contains the settings that you want to change.
Click the policy whose settings you want to change, as specified in Table 44.
In the details pane, double-click the policy setting that you want to edit.
On the Security Policy Setting tab, select or type the recommended value, and then click OK.
Restart the computer, or run Secedit /refreshpolicy machine_policy, to apply the settings to the Default Domain GPO or the Default Domain Controllers GPO.