Confused about "Default Domain Policy"

Discussion:

(too old to reply)

D.P. Roberts

2010-02-18 23:40:45 UTC

From everything I've read, it seems the "Default Domain Policy" GPO is
applied to all users and computers in the domain. This seems right because a
link to this GPO appears under the domain root in the Group Policy
Management Console. However, what happens if I move the link to this GPO to
a sub-OU? Does the "Default Domain Policy" GPO still apply to everything in
the domain, or does it only apply to the users and computers under the
sub-OU? I know that user-created GPOs only apply to the sub-OU to which they
are linked, but is this not the case with the "Default Domain Policy" OU?

I've read many KBs and have not found an answer to this question, so any
help would be greatly appreciated.

Thanks!

Meinolf Weber [MVP-DS]

2010-02-19 06:47:48 UTC

Permalink

Hello D.P. Roberts,

The Default Domain policy is a GPO as all others form the GPO view. So if
you unlink it from domain level to OU level, it will be applied at OU level
only.

Of course the password/account lockout settings will NOT work on OU level,
they MUST be set on domain level in OS prior Windows server 2008 or higher.
On 2008 or higher you can use Fine grained password policies on OU level.

BUT, both Default policies you should leave untouched, so in case of GPO
problems you can always revert most settings back to the beginning with deleting
your self created GPOs. If you need changes on domain level or Domain controllers
OU create your own GPOs so you have always the working solution with the
defaults in case something fails.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Post by D.P. Roberts
From everything I've read, it seems the "Default Domain Policy" GPO is
applied to all users and computers in the domain. This seems right
because a link to this GPO appears under the domain root in the Group
Policy Management Console. However, what happens if I move the link to
this GPO to a sub-OU? Does the "Default Domain Policy" GPO still apply
to everything in the domain, or does it only apply to the users and
computers under the sub-OU? I know that user-created GPOs only apply
to the sub-OU to which they are linked, but is this not the case with
the "Default Domain Policy" OU?
I've read many KBs and have not found an answer to this question, so
any help would be greatly appreciated.
Thanks!

D.P. Roberts

2010-02-19 17:08:48 UTC

Permalink

Thank you Meinolf, that really helps clear this up!

Post by Meinolf Weber [MVP-DS]
Hello D.P. Roberts,
The Default Domain policy is a GPO as all others form the GPO view. So if
you unlink it from domain level to OU level, it will be applied at OU
level only.
Of course the password/account lockout settings will NOT work on OU level,
they MUST be set on domain level in OS prior Windows server 2008 or
higher. On 2008 or higher you can use Fine grained password policies on OU
level.
BUT, both Default policies you should leave untouched, so in case of GPO
problems you can always revert most settings back to the beginning with
deleting your self created GPOs. If you need changes on domain level or
Domain controllers OU create your own GPOs so you have always the working
solution with the defaults in case something fails.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Meinolf Weber [MVP-DS]

2010-02-20 11:21:30 UTC

Permalink

Hello D.P. Roberts,

You're welcome.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Post by D.P. Roberts
Thank you Meinolf, that really helps clear this up!

Post by Meinolf Weber [MVP-DS]
Hello D.P. Roberts,
The Default Domain policy is a GPO as all others form the GPO view.
So if you unlink it from domain level to OU level, it will be applied
at OU level only.
Of course the password/account lockout settings will NOT work on OU
level, they MUST be set on domain level in OS prior Windows server
2008 or higher. On 2008 or higher you can use Fine grained password
policies on OU level.
BUT, both Default policies you should leave untouched, so in case of
GPO problems you can always revert most settings back to the
beginning with deleting your self created GPOs. If you need changes
on domain level or Domain controllers OU create your own GPOs so you
have always the working solution with the defaults in case something
fails.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Post by D.P. Roberts
From everything I've read, it seems the "Default Domain Policy" GPO
is applied to all users and computers in the domain. This seems
right because a link to this GPO appears under the domain root in
the Group Policy Management Console. However, what happens if I move
the link to this GPO to a sub-OU? Does the "Default Domain Policy"
GPO still apply to everything in the domain, or does it only apply
to the users and computers under the sub-OU? I know that
user-created GPOs only apply to the sub-OU to which they are linked,
but is this not the case with the "Default Domain Policy" OU?
I've read many KBs and have not found an answer to this question, so
any help would be greatly appreciated.
Thanks!