Announcement

Collapse
No announcement yet.

Domain vs Domain Controller policies

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain vs Domain Controller policies

    I'd like an opinion, please.

    I have custodianship of a 2003/XP domain system that was put together by a team, the GPO portion of which was given to the single team member who had no experience or qualification to put it together. We haven't had the luxury of taking it apart to even look at GP in any depth to straighten out some idiosyncracies.

    A tech refresh of the servers is underway. We're going Hyper-V (2012) VMs (2008R2), and because of the existing questions of stability, we're building the replacement domain up from scratch, including GP, rather than allowing the new DCs to inherit anything from the old.

    We've found that the old default domain policy is almost 1-for-1 with settings vs the default domain controller policy. Since there aren't any differences in settings, is there a technical reason to have both policies reinforcing the same things?

    I'd appreciate any feedback.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

  • #2
    Re: Domain vs Domain Controller policies

    The Default Domain Controllers Policy is of course for linking to the OU that contains DCs and the Default Domain Policy at the Domain level. Even if some settigns are duplicated, they should still remain in both as you may choose to delegate permissions for GPO linking at the OU level.

    Furthermore, the Default Domain Policy should usually only be used for the Password Policy and possibly auditing. Other settings can be created within other GPOs.

    Personally, I tend to leave the Default Policies as they are, tweak the password policy to suit the environment and create different GPOs for all other settings.

    Comment


    • #3
      Re: Domain vs Domain Controller policies

      The original persons renamed/delinked the original Default Domain and Domain Controller policies, and then insituted their own for both. And a lot of the settings are duplicated in both. And it's never been quite right.

      I'm leaving the 'default' of both policies in-place with very few settings actively managed, per best practice, and creating my own at the appropriate levels. One for Domain-level settings, one for the DCs, and a few more scattered at lower-level OUs as needed. All I was curious about was the duplication of settings on the DCs when the same settings are already applied at the domain level.

      The organization isn't anywhere big enough to delegate permissions, so there're only 3 of us with access to do it all. Frankly, I wouldn't trust any user in our environment to safely manage something as important as GP. So if delegation isn't an issue, it sounds like no, we don't need to duplicate the same settings to both, regardless of what they're called. Thanks.
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        Re: Domain vs Domain Controller policies

        There is a cmd to reset the default policies:
        http://www.itgeared.com/articles/107...lt-domain-and/

        You may be best off documenting them, resetting them and implementing other policies to put the settings back
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Domain vs Domain Controller policies

          Yeah, I get the idea of resetting the Default domain and domain controller policies. And I get the idea of setting only the most basic settings in each, with the vast majority of local settings in separate policies, applied at those same levels or lower, as appropriate. I am not trying to repair or make more stable the current production environment--it's too late for that. We haven't the time. We're building our tech refresh replacement system for the current environment.

          What I was asking was, is there a reason to have virtually every setting duplicated between a domain and a domain controller policy, in the same directory tree (regardless of their name and whether they are default policies.) I can't find anything like a white paper or 'best practice' guide which says anything either way. If so, why? If not, then I have my answer.
          *RicklesP*
          MSCA (2003/XP), Security+, CCNA

          ** Remember: credit where credit is due, and reputation points as appropriate **

          Comment


          • #6
            Re: Domain vs Domain Controller policies

            Not as far as I know -- in general the DC OU would inherit the domain policy and add its own DC policy to tighten up security further
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Domain vs Domain Controller policies

              Thanks, Ossian, that's the sort of answer I was looking for. Many colleagues are telling me the opposite because that's what's been beaten into them over the years, but no one can back it up with any justification. And GP precedence/processing/linkorder, etc. all point to it not being necessary.

              Cheers!
              *RicklesP*
              MSCA (2003/XP), Security+, CCNA

              ** Remember: credit where credit is due, and reputation points as appropriate **

              Comment

              Working...
              X