+ Post New Thread
Results 1 to 10 of 10
Windows 8 Thread, Default Domain Policy. in Technical; I'm starting down the road of Windows 8 and doing some testing etc. Servers are still 2008R2. Our Default Domain ...
  1. #1
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30

    Default Domain Policy.

    I'm starting down the road of Windows 8 and doing some testing etc.

    Servers are still 2008R2.

    Our Default Domain Policy has a WMI filter set for windows 7 we only have windows 7 PC's on our domain now, the last XP machines went off-site a few months back and with them the Default Domain Policy that had a WMI filter set for XP.

    I'm wondering if it is actually necessary to have split Default Domain Policies?

    Would appreciate someone taking a look at our current default policy in case there is anything amiss?

    Cheers.DefaultDomainPol.pdf

  2. #2

    Join Date
    Oct 2013
    Location
    Leicestershire
    Posts
    50
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    11
    This don't look like the Default Domain Pol more a copy I hope, and my heart did stop when I read the title Default Domain Policy! Never touch the Default Domain Policy if you need to Policy add new (Microsoft do have a tool to recreate the Default Domain Policy). Also WMI filtering on polices is prone to being a tad slow, I would disband that and organize your Directory so that you an apply settings to win 8 and win 7 workstations that way.

  3. #3
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    907
    Thank Post
    41
    Thanked 69 Times in 66 Posts
    Rep Power
    18
    I believe good practice is just to put the password security settings in and nothing else. Create new GPO's for this.

  4. Thanks to free780 from:

    kennysarmy (21st May 2014)

  5. #4
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Quote Originally Posted by HPlum78 View Post
    This don't look like the Default Domain Pol more a copy I hope, and my heart did stop when I read the title Default Domain Policy! Never touch the Default Domain Policy if you need to Policy add new (Microsoft do have a tool to recreate the Default Domain Policy). Also WMI filtering on polices is prone to being a tad slow, I would disband that and organize your Directory so that you an apply settings to win 8 and win 7 workstations that way.
    Thanks for your reply.

    I can probably remove the WMI filtering on the policies that apply to the workstations, but I'm wondering wont I need to retain WMI filtering for policies applying at the user level if I have a mixture of Windows 7 and Windows 8 PC's.

  6. #5
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    391
    Thank Post
    11
    Thanked 61 Times in 48 Posts
    Rep Power
    21
    I have password policy and firewall policy for thinks like AV and SIMS in my default domain policy. I tend to leave it alone.

  7. #6


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,577
    Thank Post
    228
    Thanked 853 Times in 732 Posts
    Rep Power
    294
    Quote Originally Posted by free780 View Post
    I believe good practice is just to put the password security settings in and nothing else. Create new GPO's for this.
    i wouldnt go quite that far but there should be very little you change on default domain/domain controllers policy things like password policies depending on windows version need to be done in default domain policy iirc

  8. #7

    Join Date
    Jun 2012
    Location
    UK
    Posts
    22
    Thank Post
    0
    Thanked 5 Times in 4 Posts
    Rep Power
    5
    Best practice is to leave the default domain and default domain controllers policies alone, both policies have special GUIDs that active directory knows to look for so if you break one you could be in trouble(depends what gets broken).
    They can also be used as a fail safe if somethings goes wrong, as you could unlink your custom settings knowing the default settings should work.

    Your current password polices settings in that policy will only affect local accounts on your windows 7 machines, you may not have noticed this if all your polices have the same settings configured i.e. Default Domain,XP,7,8
    If your Forrest/Domain functionality level is at 2008 or higher you should be looking to use Active Directory Password Polices if you require different settings.

    If i were you i would migrate all your custom settings to separate polices but link them at the same level if needed, I would consider linking some of your settings at lower levels if possible as setting them at the top of the domain isn't good practice either.
    Then use the Microsoft tool to recreate the default domain policy so you know its in a good state

  9. #8

    Join Date
    Jul 2013
    Location
    Northamptonshire
    Posts
    126
    Thank Post
    28
    Thanked 8 Times in 6 Posts
    Rep Power
    4
    I have edited the default domain policy numerous times and never had a problem :/

    Is it really that bad to do?

  10. #9


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,577
    Thank Post
    228
    Thanked 853 Times in 732 Posts
    Rep Power
    294
    Quote Originally Posted by TheGoodGuy View Post
    I have edited the default domain policy numerous times and never had a problem :/

    Is it really that bad to do?
    i think it depends what you do to it but it is plausable that you could lock yourself out of the domain by badly editing the default domain policies but i wouldnt do much on them

  11. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Quote Originally Posted by kennysarmy View Post
    I'm starting down the road of Windows 8 and doing some testing etc.

    Servers are still 2008R2.

    Our Default Domain Policy has a WMI filter set for windows 7 we only have windows 7 PC's on our domain now, the last XP machines went off-site a few months back and with them the Default Domain Policy that had a WMI filter set for XP.

    I'm wondering if it is actually necessary to have split Default Domain Policies?

    Would appreciate someone taking a look at our current default policy in case there is anything amiss?

    Cheers.DefaultDomainPol.pdf
    I'd advise you leave the Default Domain Policy 'as is' and create, then link a new GPO below the Default Domain Policy. Something like the WMI filter should be within its own GPO. It's easier to unlink a GPO creating problems, rather than having to tinker with the Default Domain Policy itself

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 19th August 2011, 01:41 PM
  2. Windows 2003 - Default Domain Policy - out of the box settings?
    By pantscat in forum Windows Server 2000/2003
    Replies: 0
    Last Post: 12th May 2011, 09:29 AM
  3. Default domain policy
    By irsprint84 in forum Windows Server 2008 R2
    Replies: 4
    Last Post: 14th April 2011, 04:59 PM
  4. Replies: 11
    Last Post: 26th September 2010, 08:45 PM
  5. Default Domain Policy and RIS
    By chazzy2501 in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 5th May 2010, 08:21 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •