Domain GPOs
When an Active Directory domain is deployed, a default domain policy and a default domain controller policy are created. The default domain policy defines the password and account policies for all domain user accounts and local user accounts for domain member servers and workstations. A few additional settings are also defined within the default domain policy regarding the Encrypting File System, Kerberos authentication, and a few other network-related security settings.
As a best practice, the only changes that should be made to the default domain policy should be modifying the password and account policy settings and nothing else. Additional settings that are required at the domain level should be defined in separate policies linked to the domain. The settings configured on domain-linked GPOs will be applied to all computer and user accounts in the domain, including all domain controllers. Settings configured at the domain level should be deployed as default settings and not as organizational standards. For example, as a domain default, the organization might want to configure all computers to enable Windows Update and get updates from the Windows Software Update Services (WSUS) at headquarters and to configure a few default firewall exceptions to allow for remote administration from the IT department. Common default settings applied at the domain level, but not in the default domain policy, can include the following:
- Default screensaver settings
- Default Windows Update settings
- Default firewall profile and rule configurations
- Default Encrypting File System settings and recovery agent
- Trusted root certification authorities
- Certificate enrollment configurations
All Windows systems that are members of an Active Directory domain will inherit the user password and account policies from the domain and apply this policy to local accounts on these systems. In some cases, it might be necessary to leverage local user accounts on systems with a less-restrictive password policy to support a particular service or application. This task can be accomplished by adding a GPO at the organizational unit that defines a less-restrictive password and account lockout policy. This particular password and account lockout policy will only apply to local user accounts on the computers contained within the linked organizational unit. The only thing that will break this configuration is if the default domain policy is enforced.
In situations when special or specific domain user accounts cannot adhere to the domain password policy, if the domain is operating in Windows Server 2008 or Windows Server 2008 R2 domain functional level, a fine-grained password policy can be created and applied to the necessary user accounts. Fine-grained password policies are new to Active Directory and are detailed later in this tutorial in the section "Fine-Grained Password Policies."
Domain Controller GPOs
When an Active Directory domain is deployed, a default domain controller policy is created. This is different from the default domain policy in many ways, but the most prevalent distinction is that this policy is applied to the domain controllers organizational unit and not the entire domain. The default domain controller policy only applies to objects in this organizational unit, which should contain all of domain controllers of the specific domain, and no other objects.
The domain controllers organizational unit inherits all policies linked to the domain and each domain controller also inherits any site-linked GPOs if any exist. These policies will be applied by the domain controllers and might not be desirable. As a best practice, to avoid impacting domain controller security and reliability, try to limit the configuration settings defined within domain-linked policies or specifically deny the application of these group policies to the enterprise domain controllers security group within each domain of the forest.
NOTE: Moving a domain controller out of the domain controllers organizational unit is not recommended as adverse effects could result, including compromising the security of the entire domain as well as breaking authentication and replication functionality.
The default domain controller policy defines user rights assignment settings for domain controller management as well as defines settings to control the security of network communication. Most organizations do not require any changes made to the default domain controller policy or any additional policies linked to the domain controllers organizational unit. Common settings applied at the domain controller organizational unit level can include the following:
- User rights assignment updates for domain controllers (commonly used for backup agent accounts)
- Restricted group policies for domain security groups
- Event Viewer settings
- Audit settings for domain controllers
- Domain controller-specific Windows Update settings
- Remote administration settings for domain controllers
In this tutorial:
- Group Policy Management for Network Client
- Windows Group Policies
- Domain Group Policies
- Group Policy Feature Set
- User Configuration Policy Node
- Planning Workgroup and Standalone Local Group Policy Configuration
- Planning Domain Group Policy Objects
- Domain GPOs
- Active Directory Site GPOs
- Managing Computers with Domain Policies
- Managing User Account Control Settings
- Creating a Software Restriction Policy
- Creating Application Control Policies (AppLocker)
- Deploying Printers Windows Server 2008
- Mapping Drives Using Preferences User Drive Maps Extension
- Configuring Basic Firewall Settings with Group Policy
- Configuring Windows Update Settings
- Configuring Power Options Using Domain Policies
- Managing Users with Policies
- Configuring Folder Redirection
- Removable Storage Access
- Managing Active Directory with Policies
- Configuring Restricted Groups for Domain Security Groups
- Extending Group Policy Functionality
- Synchronous Foreground Refresh
- GPO Modeling and GPO Results in the GPMC
- Managing Group Policy from Administrative or Remote Workstations