Windows 8 Thread, Default Domain Policy. in Technical; I'm starting down the road of Windows 8 and doing some testing etc.
Servers are still 2008R2.
Our Default Domain ...
21st May 2014, 10:37 AM #1
Default Domain Policy.
I'm starting down the road of Windows 8 and doing some testing etc.
Servers are still 2008R2.
Our Default Domain Policy has a WMI filter set for windows 7 we only have windows 7 PC's on our domain now, the last XP machines went off-site a few months back and with them the Default Domain Policy that had a WMI filter set for XP.
I'm wondering if it is actually necessary to have split Default Domain Policies?
Would appreciate someone taking a look at our current default policy in case there is anything amiss?
21st May 2014, 11:01 AM #2
This don't look like the Default Domain Pol more a copy I hope, and my heart did stop when I read the title Default Domain Policy! Never touch the Default Domain Policy if you need to Policy add new (Microsoft do have a tool to recreate the Default Domain Policy). Also WMI filtering on polices is prone to being a tad slow, I would disband that and organize your Directory so that you an apply settings to win 8 and win 7 workstations that way.
21st May 2014, 11:25 AM #3
I believe good practice is just to put the password security settings in and nothing else. Create new GPO's for this.
Thanks to free780 from:
kennysarmy (21st May 2014)
21st May 2014, 11:42 AM #4
Thanks for your reply.
Originally Posted by HPlum78
I can probably remove the WMI filtering on the policies that apply to the workstations, but I'm wondering wont I need to retain WMI filtering for policies applying at the user level if I have a mixture of Windows 7 and Windows 8 PC's.
21st May 2014, 01:31 PM #5
I have password policy and firewall policy for thinks like AV and SIMS in my default domain policy. I tend to leave it alone.
21st May 2014, 02:01 PM #6
i wouldnt go quite that far but there should be very little you change on default domain/domain controllers policy things like password policies depending on windows version need to be done in default domain policy iirc
Originally Posted by free780
21st May 2014, 11:11 PM #7
- Rep Power
Best practice is to leave the default domain and default domain controllers policies alone, both policies have special GUIDs that active directory knows to look for so if you break one you could be in trouble(depends what gets broken).
They can also be used as a fail safe if somethings goes wrong, as you could unlink your custom settings knowing the default settings should work.
Your current password polices settings in that policy will only affect local accounts on your windows 7 machines, you may not have noticed this if all your polices have the same settings configured i.e. Default Domain,XP,7,8
If your Forrest/Domain functionality level is at 2008 or higher you should be looking to use Active Directory Password Polices if you require different settings.
If i were you i would migrate all your custom settings to separate polices but link them at the same level if needed, I would consider linking some of your settings at lower levels if possible as setting them at the top of the domain isn't good practice either.
Then use the Microsoft tool to recreate the default domain policy so you know its in a good state
2nd June 2014, 01:24 PM #8
- Rep Power
I have edited the default domain policy numerous times and never had a problem :/
Is it really that bad to do?
2nd June 2014, 01:42 PM #9
i think it depends what you do to it but it is plausable that you could lock yourself out of the domain by badly editing the default domain policies but i wouldnt do much on them
Originally Posted by TheGoodGuy
2nd June 2014, 02:30 PM #10
I'd advise you leave the Default Domain Policy 'as is' and create, then link a new GPO below the Default Domain Policy. Something like the WMI filter should be within its own GPO. It's easier to unlink a GPO creating problems, rather than having to tinker with the Default Domain Policy itself
Originally Posted by kennysarmy
By DaveP in forum Windows Server 2008
Last Post: 19th August 2011, 02:41 PM
By pantscat in forum Windows Server 2000/2003
Last Post: 12th May 2011, 10:29 AM
By irsprint84 in forum Windows Server 2008 R2
Last Post: 14th April 2011, 05:59 PM
By jgcracknell in forum Windows Server 2008 R2
Last Post: 26th September 2010, 09:45 PM
By chazzy2501 in forum Windows Server 2000/2003
Last Post: 5th May 2010, 09:21 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)