+ Post New Thread
Results 1 to 10 of 10
Windows 8 Thread, Default Domain Policy. in Technical; I'm starting down the road of Windows 8 and doing some testing etc. Servers are still 2008R2. Our Default Domain ...
  1. #1
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,401
    Thank Post
    93
    Thanked 48 Times in 34 Posts
    Rep Power
    31

    Default Domain Policy.

    I'm starting down the road of Windows 8 and doing some testing etc.

    Servers are still 2008R2.

    Our Default Domain Policy has a WMI filter set for windows 7 we only have windows 7 PC's on our domain now, the last XP machines went off-site a few months back and with them the Default Domain Policy that had a WMI filter set for XP.

    I'm wondering if it is actually necessary to have split Default Domain Policies?

    Would appreciate someone taking a look at our current default policy in case there is anything amiss?

    Cheers.DefaultDomainPol.pdf

  2. #2

    Join Date
    Oct 2013
    Location
    Leicestershire
    Posts
    54
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    12
    This don't look like the Default Domain Pol more a copy I hope, and my heart did stop when I read the title Default Domain Policy! Never touch the Default Domain Policy if you need to Policy add new (Microsoft do have a tool to recreate the Default Domain Policy). Also WMI filtering on polices is prone to being a tad slow, I would disband that and organize your Directory so that you an apply settings to win 8 and win 7 workstations that way.

  3. #3
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,087
    Thank Post
    47
    Thanked 88 Times in 83 Posts
    Rep Power
    23
    I believe good practice is just to put the password security settings in and nothing else. Create new GPO's for this.

  4. Thanks to free780 from:

    kennysarmy (21st May 2014)

  5. #4
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,401
    Thank Post
    93
    Thanked 48 Times in 34 Posts
    Rep Power
    31
    Quote Originally Posted by HPlum78 View Post
    This don't look like the Default Domain Pol more a copy I hope, and my heart did stop when I read the title Default Domain Policy! Never touch the Default Domain Policy if you need to Policy add new (Microsoft do have a tool to recreate the Default Domain Policy). Also WMI filtering on polices is prone to being a tad slow, I would disband that and organize your Directory so that you an apply settings to win 8 and win 7 workstations that way.
    Thanks for your reply.

    I can probably remove the WMI filtering on the policies that apply to the workstations, but I'm wondering wont I need to retain WMI filtering for policies applying at the user level if I have a mixture of Windows 7 and Windows 8 PC's.

  6. #5
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    523
    Thank Post
    25
    Thanked 76 Times in 59 Posts
    Rep Power
    26
    I have password policy and firewall policy for thinks like AV and SIMS in my default domain policy. I tend to leave it alone.

  7. #6


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    7,059
    Thank Post
    232
    Thanked 926 Times in 795 Posts
    Rep Power
    309
    Quote Originally Posted by free780 View Post
    I believe good practice is just to put the password security settings in and nothing else. Create new GPO's for this.
    i wouldnt go quite that far but there should be very little you change on default domain/domain controllers policy things like password policies depending on windows version need to be done in default domain policy iirc

  8. #7

    Join Date
    Jun 2012
    Location
    UK
    Posts
    39
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    7
    Best practice is to leave the default domain and default domain controllers policies alone, both policies have special GUIDs that active directory knows to look for so if you break one you could be in trouble(depends what gets broken).
    They can also be used as a fail safe if somethings goes wrong, as you could unlink your custom settings knowing the default settings should work.

    Your current password polices settings in that policy will only affect local accounts on your windows 7 machines, you may not have noticed this if all your polices have the same settings configured i.e. Default Domain,XP,7,8
    If your Forrest/Domain functionality level is at 2008 or higher you should be looking to use Active Directory Password Polices if you require different settings.

    If i were you i would migrate all your custom settings to separate polices but link them at the same level if needed, I would consider linking some of your settings at lower levels if possible as setting them at the top of the domain isn't good practice either.
    Then use the Microsoft tool to recreate the default domain policy so you know its in a good state

  9. #8

    Join Date
    Jul 2013
    Location
    Northamptonshire
    Posts
    126
    Thank Post
    28
    Thanked 8 Times in 6 Posts
    Rep Power
    4
    I have edited the default domain policy numerous times and never had a problem :/

    Is it really that bad to do?

  10. #9


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    7,059
    Thank Post
    232
    Thanked 926 Times in 795 Posts
    Rep Power
    309
    Quote Originally Posted by TheGoodGuy View Post
    I have edited the default domain policy numerous times and never had a problem :/

    Is it really that bad to do?
    i think it depends what you do to it but it is plausable that you could lock yourself out of the domain by badly editing the default domain policies but i wouldnt do much on them

  11. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346
    Quote Originally Posted by kennysarmy View Post
    I'm starting down the road of Windows 8 and doing some testing etc.

    Servers are still 2008R2.

    Our Default Domain Policy has a WMI filter set for windows 7 we only have windows 7 PC's on our domain now, the last XP machines went off-site a few months back and with them the Default Domain Policy that had a WMI filter set for XP.

    I'm wondering if it is actually necessary to have split Default Domain Policies?

    Would appreciate someone taking a look at our current default policy in case there is anything amiss?

    Cheers.DefaultDomainPol.pdf
    I'd advise you leave the Default Domain Policy 'as is' and create, then link a new GPO below the Default Domain Policy. Something like the WMI filter should be within its own GPO. It's easier to unlink a GPO creating problems, rather than having to tinker with the Default Domain Policy itself



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 19th August 2011, 02:41 PM
  2. Windows 2003 - Default Domain Policy - out of the box settings?
    By pantscat in forum Windows Server 2000/2003
    Replies: 0
    Last Post: 12th May 2011, 10:29 AM
  3. Default domain policy
    By irsprint84 in forum Windows Server 2008 R2
    Replies: 4
    Last Post: 14th April 2011, 05:59 PM
  4. Replies: 11
    Last Post: 26th September 2010, 09:45 PM
  5. Default Domain Policy and RIS
    By chazzy2501 in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 5th May 2010, 09:21 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •