Default Domain Controllers Policy

[Steven Hutchinson]

It would seem that our Default Domain Controllers Policy is being applied to
all computers in our domain.

As far as I know this should not be the case and should only be applied to
Domain Controllers.

Can anyone confirm this to me as it is causing a few problems? I cannot
change any Local Security Policy settings on member servers or client PC's.
RSOP shows that the policy settings are being enforced by the Default Domain
Controllers Security Policy.

 

[Mark Heitbrink [MVP]]

Hi,

It would seem that our Default Domain Controllers Policy is being applied to
all computers in our domain.

No good idea.

As far as I know this should not be the case and should only be applied to
Domain Controllers.

Absolutly right.

Can anyone confirm this to me as it is causing a few problems?

For sure. Because a domain controller is much more restrictiv configured
like "logon locally" and other permissions it is not recommended to
apply the DefDomConPol to the clients, becaus ea "user" needs to work
on a client.
If you want to allow a user logon on that client and you edit the
DefDomConPol, then he is able to logon locally on a DC aswell.
In most cases you don´t wnat that.

Mark

 

[Steven Hutchinson]

Hi Mark,

Thanks for confirming this. Can you suggest any reason why this policy is
being applied to all computers in our domain and possibly how I can go about
preventing this?

 

[Peter Demeyer]

Steven,

Are all computers in your domain in the the Domain Controllers OU?
Or is the original (or another) Default Domain Controllers Policy linked to
an OU that contains all your computers?

Peter

 

[Steven Hutchinson]

Hi Peter,

Thanks for your help. I can now see where the problem is. The Default Domain
Controllers Policy is linked to both the Domain Controllers OU and to our
entire domain. I will need to disable the link to our domain. Any idea how
this might have happened?

 

[Peter Demeyer]

No, no idea how this might have happened, it didn't happen by itself surely.

 

[Guest]

Hi,

What OS are you using? If you are Using Windows 2003 Server than download
the Group Policy Management Console.

It has this AMAZING little feature at the bottom which basically shows you
all the settings that are applying to a user or a computer. It runs a
simulation and then shows you all the settings.

Now, the ONLY way that the Default Domain Controllers Policy would be
appling to the Computers is if the Computer OU was inside the Default Domain
Controllers OU Or if the Default Domain Controllers policy was linked to the
Computers OU. You can find out this simply by creating a "new" OU for
computers and moving all the computers into it.

Why are you trying to change Local Settings? Local Settings are always
overridden by Group Policies starting with the Default Domain Policy and then
the Group Policies of the OU's. I would leave the Local Settings alone. It is
far better to just create OU's and Group Policies for computers and set any
settings you need there.

This also stops any hugh problems caused by Local Policies.

Cheers,
Lara

 

[Mark Heitbrink [MVP]]

Hi,

[...] Any idea how this might have happened?

It only can be done manually. In most cases it happens if you
work with the GPMC and "Drag+Drop" the policy with the mouse.
Happens in Filesystem etc. ;-)

Mark

 

[Steven Hutchinson]

Hi Lara,

I was only looking to change the Local Security Policy on servers that have
applications installed that require specific accounts to be granted rights
only on that server. In other circumstances, I have created an OU and GPO
for groups of member servers such as Citrix servers and defined much more
detailed policies.

Steven