When to use default domain controllers policy?

[Guest]

Hello

We have a Win2003 AD domain. I'm wondering when it is appropriate to
implement Group Policy settings via the "default domain controller" policy
vs. the "default domain" policy?

I realize one is on the Domain Controller OU level and the other is at the
top of the domain, but I'm just curious if there are domain-wide security
settings that are best implemented only in the "default domain controller"
policy. Up to this point, I have left this policy alone (accepting the out
of the box defaults), and implemented our password policies, NTLM settings,
etc. in the "default domain" policy.

Does this jibe with current best practices?

Any input is helpful,

Steve T.

 

[Oli Restorick [MVP]]

Well, the NTLM settings is actually a good example. If you want to give your
DCs a certain policy (e.g. Send NTLM response only) and your other machines
a different policy, then that's the perfect opportunity to configure the
setting in both policies.

The idea of the default domain controller policy is that all DCs in a domain
are managed as a single entity and that you should not end up with different
DCs using different policies. This is the reason that it's not usually a
good idea to move DCs out of their default container.

Regards

Oli