Default Domain Controller Policy
Hello All,
We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
But would like your advice about any new features which we can applied in our Default Domain Controller
policy.
Thanks.
Thanks HA
Hi,
>>But would like your advice about any new features which we can applied in our Default Domain
Controller policy.
Regarding this point, the following articles can be referred to as reference.
Chapter 4: Strengthening Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
Applying Selected Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Similar Messages
-
Default domain controller policy audit
If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?
If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?
If I enable auditing in default domain controller policy, I see event only from all domain controller or
see event from all workstation in domain
---NO you wont see workstations, only if editing the default domain policy, as described prior best practice would be to create a new GPO with a great name that you
wont mix up such as "workstation audit GPO" and link to the site, domain or OU you require.
Its not great practise IMO adding loads of stuff to default domain policy when you want to troubleshoot best to segregate GPOS with great easy to
interpret names for brevity -
Reboot domain controller changes audit policy on Default Domain Controller Policy
This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
Thanks and regards.Hi,
>>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was applied after rebooting? Besides, we can also try to run command
auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
PrepareDomain should it modify the Domain Controller Policy?
I have Exchange 2010 installed with two servers in a DAG. I recently ran into a problem were two of the domain controllers were down and had to reboot both Exchange servers. Exchange would not come back online because of the missing SACL right
on the other domain controllers.
http://blogs.technet.com/b/richardroddy/archive/2010/06/16/msexchange-adaccess-dsaccess-errors-and-the-manage-auditing-and-security-right.aspx
I went ahead and ran exchange "setup /preparedomain" and I was able to get my DAG running again but when I check the "Default Domain Controllers Policy" it is not modified to allow the "Exchange Servers" group manage auditing
and security log like I would expect it to. There are no errors but it only modified the local domain controller policy. So I would have to run this on every domain controller.Hi,
According to your description, it seems like DC replication issue.
I recommend you refer to the follwoing article to force sync manually:
Force Replication Between Domain Controllers
You can use this procedure to force Active Directory replication to occur between two domain controllers on a one-time basis when you want changes to be replicated from the server that received the changes to a server in another site sooner than the
site link schedule allows. As an alternative, you can synchronize replication with all replication partners.
Thanks.
Niko Cheng
TechNet Community Support -
Can't edit default domain controllers policy on windows 8 or server 2012
I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine. I can edit and save changes fine from a Windows 7 machine. The domain controllers are running Windows 2012 Standard upgraded
from Windows 2008 R2. Is there a security setting I am missing?Posting the resolution from the other thread. Hope it helps!
I just accidentally resolved this issue today. I added the GPMC to a 2008 R2 server so I could make a needed firewall
change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile). About an hour later, I forgot I was using my Windows 8 machine and I went
to edit the Default Domain Controllers GPO and opened for edit without a problem. I can now edit it from Windows 8 and from Windows Server 2012. Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
editing the GPO once from a 2008 R2 machine. -
Windows 2012 R2 default domain controllers policy set to enforced
Hi Guys,
So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
previously setup by someone else.
I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
it up at this stage.
One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
Any advise you guys have on this would be greatly appreciated.
David> So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
> and so far everything is running ok.
This does NOT touch any GPOs, so your GPOs are not "migrated" or
something like that - they are still what they were before.
> enforced on my newly migrated domain. At home on my test server i see it
> is not enforced by default and am wondering why this is?
"A sever misunderstanding of how group policy inheritance and link order
works" is the closest reason I see for this. The DDCP is linked to
"Domain Controllers", and as long as you do not create subordinate OUs
there (which I've never seen) and block inheritance on them, there's no
reason to enforce.
To add my experience from the field: When I see enforced GPOs, in most
cases this enforcement is not required. People simply use it because
they do not understand "link order".
> One thing that i did find odd is when i first opened up the GPO's, i was
> prompted with a message which stated that the policies in the sysvol
> folder where not consistent with the ones in AD so i followed its
> recommendation to update.
That's fairly ok and nothing to hassle about.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Restore Default Domain Controllers Policy in its original state
Hello,
Our domain has 2003 DCs. For some reason, someone has unlinked Default Domain Controllers Policy from Domain Controllers OU and also modified it extensively.
Domain Controllers OU has a GPO with basically same settings as DDCP but it has also been heavily modified.
I'm in the process of upgrading our domain to 2012 level and would like to sort out DDCP before doing so.
What would be the best course of action to restore DDCP in its place? I was planning to match all settings between custom GPO and currently unlinked DDCP and then disable custom GPO and enable DDCP. But sincerily I'm not sure what would be the best way to
go.Hi,
Any update?
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support -
Hello,
In my new company, I noticed that the default domain controllers policy has been (largely) modified.
I thought it was a best practice to keep it clean (In case of restore).
So I would like to create a new GPOs for my DCs to move some of those settings out of the default domain policy.
For example, "Add workstations to domain". If I want to create a new policy for this particular setting, what kind of rules am I supposed to follow to make sure that my new setting will be applied before the default DC policy ?
Is the GPO Link order enough ?
Thank youHi,
Just a confirmation, did you mean that want to overwrite some settings in the
Default Domain Controllers Policy?
Within each domain, site, and OU, the
Link Order controls the order in which GPOs are applied. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the
Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest
Link Order is processed last, and therefore has the highest precedence. Since Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, you can create a new GPO and link it to this Domain Controllers organizational
unit, then control thier order of them via Link Order.
If anything I misunderstand or any update, please feel free to let us know.
Hope this helps.
Best regards,
Justin Gu -
Unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine
I am unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine. The error message i recieve is:
"Failed to open the group policy object. You might not have the appropriate rights. Details: The volume for a file has been externally altered so that the open file is no longer valid."
The domain controllers are running Windows 2012 R2 upgraded from Windows 2008 R2, the domain functional level is Server 2012.
I am able to edit the policy from both a Windows 7 and Server 2008 R2 machine.
The following post is identical however the fix for them does not work for me:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/2d968a05-2cff-4dd0-9c5d-dd810d1fa66f/cant-edit-default-domain-controllers-policy-on-windows-8-or-server-2012
Any ideas?MuhammadUmar
Yes, the Unique ID is available on 2012 server
Lany Zhang
This only affects the default domain controllers policy object
Another user added to amins and tested has no effect
It is the same on another server
DCDiag passes all tests
Thanks for all your help so far -
Applying Domain controller policy to only one DC on a domain
We want to apply the Microsoft supplied group policy "MSFT Windows Server 2012 R2 Domain controller Baseline" to only 1 out of our 6 Server 2012 R2 Domain controllers. This server is also set-up as an RODC and is in a DMZ
hence hardening.
Some of the settings within this policy would seem to be applicable to a domain rather than an individual server (DC), even though they are listed under "Local Policies".
The following are only some examples, there may be others.......
Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/Security Options, Other
Domain member: Digitally encrypt or sign secure channel data (always)
Microsoft network server: Digitally sign communications (always)
Computer Configuration, Policies, Windows Settings, Security Settings, Local Polices/Security Options, Domain Controller
Domain Controller: LDAP server signing requirements - Require signing
Computer Configurati......, Local Policies/Security Options, Network Security
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients (and Servers) - Require NTLMv2 session security and Require 128-bit encryption
My question is - If we apply this group policy to one DC only, will it affect any other Domain wide communication e.g. PCs to other DCs, Member servers to other DCs, DCs to DCs etc? I understand that after policy application, the DC may not function
properly and we will need to test it and potentially relax some of the settings but we cannot afford to risk the rest of the domain from being affected. We are particularly concerned with the forcing of Digitally signing or encypting communications.
Can anyone help?
If configured incorrectly the policy might disable communication from or to the dc.
That being said, I think you are pretty safe applying the listed policy items.
MCP/MCSA/MCTS/MCITP -
NTP Service on Domain Controller have problem with cisco switch
Hello!
I have Windows Server 2008 R2 SP1 Domain Controller with NTP services
The windows opertion system clients get NTP time ok.
There are problem with cisco switch, can't get time from NTP.
Can anybody help me to fix problem?
C:\Users\Sysuser>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 1800 (Local)
MaxPosPhaseCorrection: 1800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NTP (Policy)
NtpServer: 10.7.0.4 (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
Cisco config and errors
CISCO1#show ntp ass det
10.7.0.7 configured, insane, invalid, stratum 3
ref ID 10.7.0.4, time D5BC850F.C8400AB2 (15:50:39.782 MSK Mon Aug 19 2013)
our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
root delay 62.50 msec, root disp 11128.04, reach 377, sync dist 11218.796
delay 6.06 msec, offset -467951.1096 msec, dispersion 56.49
precision 2**6, version 3
org time D5BC8864.F79C33A7 (16:04:52.967 MSK Mon Aug 19 2013)
rcv time D5BC8A38.EBDECB39 (16:12:40.921 MSK Mon Aug 19 2013)
xmt time D5BC8A38.EA5173BE (16:12:40.915 MSK Mon Aug 19 2013)
filtdelay = 6.06 5.87 3.23 7.90 6.41 5.17 13.03 3.43
filtoffset = -467951 -467905 -467936 -467885 -467764 -467816 -467707 -467697
filterror = 0.02 15.64 31.27 46.89 62.52 78.14 93.75 93.78Hi,
>>I gave log on as a service right to this account in Default Domain Controllers Policy but unfortunately it was not enough
Based on your description, we can try to grant this account Allow log on locally
user right in the default domain controller policy to see if it helps.
The policy setting is:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx#feedback
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
By default, two polices are created when you dcpromo a server: Default Domain Policy, and Default Domain Controllers Policy. These polices should have guids of {31B2F340-016D-11D2-945F-00C04FB984F9} and {31B2F210-016D-11D2-945F-00C04FB981F1} respectively. However, in my 2003 domain, someone had renamed the default domain policy and put a new one named "Default Domain Policy". To make things worse, the Default Domain Controller Policy is missing but a new policy called "Default Domain Controllers Policy" is in its place. I currently have the following:
Default Domain Policy -> {C0C9ADF5-8E49-499C-87B2-2804931871DA}
Default Domain Policy - Disabled Original -> {31B2F340-016D-11D2-945F-00C04FB984F9}
Default Domain Controllers Policy -> {6AC1786C-016F-11D2-945F-00C04fB984F9}
I do not have backups of the original policies. I suspect the polices have been in this state for at least a year if not longer.
What is the impact of leaving the policies in their current state?
Should I attempt to restore the original policies using dcgpofix.exe?
Will using dcgpofix cause any issues with my Exchange 2003 or SMS 2003 environments?
Thanks,
SeanHi,
The default policies created by the system should be:
Default Domain Policy
{31B2F340-016D-11D2-945F-00C04FB984F9}
Default Domain Controllers Policy
{6AC1786C-016F-11D2-945F-00C04fB984F9}
These two policies are built-in policies that define default settings applies to domain users and computers.
In this issue, I’d like to know whether the original Default Domain Policy is still linked to the domain or not. If yes, it will be OK even though it is renamed.
Regards,
Miles Li
Microsoft Online Community Support
-
Unable to log onto domain controller with user account
Hi,
I am able to log onto my DC as domain admin. I cannot log on as myself. I do not see what I am missing in the GPO to make this happen? I am part of a server admin group and would like the server admin group to be able to log on to the domain controller to
maintain the server.
Any suggestions?
Wave~ChaserLog on to this DC and run rsop.msc and check the following policies:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally
Add your self to Allow log on locally
(in default domain controller policy - as I mentioned above) and make sure your user account not belong to any group that have Deny log on locally.
Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks. -
I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation SuccessHi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Unable to edit Default Domain policy on Server 2012 R2 domain controller
Hello,
I recently built a Server 2012 R2 domain controller and added it to my domain. When trying to edit the default domain policy I get the following error:
I can make edits to other GPO objects. All the other domain controllers are Server 2008 and are able to edit that GPO. The issue is on the Server 2012 box only. I've checked the delegated permissions, I'm a domain admin, and have opened
GPMC as administrator. Does anyone know what I'm missing? Thank you for your time.
TinoHi Tino,
>>Could that be the problem?
I don't think so, for we can still use FRS to replicate Sysvol. However, it is recommended that we use DFSR to replicate Sysvol if our domain
function level is Windows Server 2008 or above.
Besides, we can follow the suggestions from the following thread to check out which replication mechanism we are using.
DFS-R on 2008 R2 by default?
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8f2042d3-193d-4414-b9da-cbcedc6a4c32/dfsr-on-2008-r2-by-default?forum=winserverDS
If the Sysvol is replicated by FRS mechanism, as I suggested in the last reply, we can do a non-authoritative restore for the Sysvol on the new Windows
Server 2012. This will restore the Sysvol from a healthy DC.
To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
1. Click Start, and then click Run.
2. In the Open box, type cmd and then press ENTER.
3. In the Command box, type net stop ntfrs.
4. Click Start, and then click Run.
5. In the Open box, type regedit and then press ENTER.
6. Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
7. In the right pane, double-click BurFlags.
8. In the Edit DWORD Value dialog box, type D2 and then click OK.
9. Quit Registry Editor, and then switch to the Command box.
10. In the Command box, type net start ntfrs.
11. Quit the Command box.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Hope it helps.
Best regards,
Frank Shen
Maybe you are looking for
-
India-PO print report mssing in r12
India-po print rdf (jainprpol) when opened in report builder shows fndsbol with out any query part i could not find inv.pll in resouce directory. Edited by: |SN| on Dec 23, 2009 2:10 AM
-
How can i transfer some fields from one table to another using a trigger
hi, i have two tables;sales and accounts.i want in my accounts form to enter salesid which is then validated and if it exists in the sales table, some fields are copied to the accounts table automatically.how do i go about this.thanx
-
Error in BAM active studioOnly an adminstrator can impersonate another user
Hi I have installed Oracle BAM on XP and tried to create a simple report using BAM Active studio. I have selected an object from sample folder ('Employees') and selected a simple report layout.I have done all the necessory steps mentioned in Develope
-
I am having trouble with PS6 - it somehow has become a trial of the extended edition
My purchased copy of PS6 suddenly statered showing a trial version screen when I launched it. I uninstalled PS6, cleaned the registry, deleted the cookies and temp files. I then re-download my copy of PS6 from the Adobe page, re-installed and it wo
-
Whats the datatype for the time in the format mm:ss.ms
Hello Sir, I wanted to create a table with a field called time. what should be the datatype for this field contains the value as in the format mm:ss.ms(04:53.0). waiting for ur reply. regards pannar