Default Domain Controller Policy

Hello All,
We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
But would like your advice about any new features which we can applied in our Default Domain Controller
policy.
Thanks.
Thanks HA

Hi,
>>But would like your advice about any new features which we can applied in our Default Domain
Controller policy.
Regarding this point, the following articles can be referred to as reference.
Chapter 4: Strengthening Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
Applying Selected Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Similar Messages

  • Default domain controller policy audit

    If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?

    If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?
    If I enable auditing in default domain controller policy, I see event only from all domain controller or
    see event from all workstation in domain
    ---NO you wont see workstations, only if editing the default domain policy, as described prior best practice would be to create a new GPO with a great name that you
    wont mix up such as "workstation audit GPO" and link to the site, domain or OU you require.
    Its not great practise IMO adding loads of stuff to default domain policy when you want to troubleshoot best to segregate GPOS with great easy to
    interpret names for brevity 

  • Reboot domain controller changes audit policy on Default Domain Controller Policy

    This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
    I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
    Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
    I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
    All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
    Thanks and regards.

    Hi,
    >>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
    Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was  applied after rebooting?  Besides, we can also try to run command
    auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
    Best regards,
    Frank Shen
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • PrepareDomain should it modify the Domain Controller Policy?

    I have Exchange 2010 installed with two servers in a DAG.  I recently ran into a problem were two of the domain controllers were down and had to reboot both Exchange servers.  Exchange would not come back online because of the missing SACL right
    on the other domain controllers.
    http://blogs.technet.com/b/richardroddy/archive/2010/06/16/msexchange-adaccess-dsaccess-errors-and-the-manage-auditing-and-security-right.aspx
    I went ahead and ran exchange "setup /preparedomain" and I was able to get my DAG running again but when I check the "Default Domain Controllers Policy" it is not modified to allow the "Exchange Servers" group manage auditing
    and security log like I would expect it to.  There are no errors but it only modified the local domain controller policy.  So I would have to run this on every domain controller.

    Hi,
    According to your description, it seems like DC replication issue.
    I recommend you refer to the follwoing article to force sync manually:
    Force Replication Between Domain Controllers
    You can use this procedure to force Active Directory replication to occur between two domain controllers on a one-time basis when you want changes to be replicated from the server that received the changes to a server in another site sooner than the
    site link schedule allows. As an alternative, you can synchronize replication with all replication partners.
    Thanks.
    Niko Cheng
    TechNet Community Support

  • Can't edit default domain controllers policy on windows 8 or server 2012

    I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine.  I can edit and save changes fine from a Windows 7 machine.  The domain controllers are running Windows 2012 Standard upgraded
    from Windows 2008 R2.  Is there a security setting I am missing?

    Posting the resolution from the other thread.  Hope it helps!
    I just accidentally resolved this issue today.  I added the GPMC to a 2008 R2 server so I could make a needed firewall
    change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile).  About an hour later, I forgot I was using my Windows 8 machine and I went
    to edit the Default Domain Controllers GPO and opened for edit without a problem.  I can now edit it from Windows 8 and from Windows Server 2012.  Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
    editing the GPO once from a 2008 R2 machine.

  • Windows 2012 R2 default domain controllers policy set to enforced

    Hi Guys,
    So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
    i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
    previously setup by someone else.
    I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
    on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
    it up at this stage.
    One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
    Any advise you guys have on this would be greatly appreciated.
    David

    > So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
    > and so far everything is running ok.
    This does NOT touch any GPOs, so your GPOs are not "migrated" or
    something like that - they are still what they were before.
    > enforced on my newly migrated domain. At home on my test server i see it
    > is not enforced by default and am wondering why this is?
    "A sever misunderstanding of how group policy inheritance and link order
    works" is the closest reason I see for this. The DDCP is linked to
    "Domain Controllers", and as long as you do not create subordinate OUs
    there (which I've never seen) and block inheritance on them, there's no
    reason to enforce.
    To add my experience from the field: When I see enforced GPOs, in most
    cases this enforcement is not required. People simply use it because
    they do not understand "link order".
    > One thing that i did find odd is when i first opened up the GPO's, i was
    > prompted with a message which stated that the policies in the sysvol
    > folder where not consistent with the ones in AD so i followed its
    > recommendation to update.
    That's fairly ok and nothing to hassle about.
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Restore Default Domain Controllers Policy in its original state

    Hello,
    Our domain has 2003 DCs. For some reason, someone has unlinked Default Domain Controllers Policy from Domain Controllers OU and also modified it extensively.
    Domain Controllers OU has a GPO with basically same settings as DDCP but it has also been heavily modified.
    I'm in the process of upgrading our domain to 2012 level and would like to sort out DDCP before doing so.
    What would be the best course of action to restore DDCP in its place? I was planning to match all settings between custom GPO and currently unlinked DDCP and then disable custom GPO and enable DDCP. But sincerily I'm not sure what would be the best way to
    go.

    Hi,
    Any update?
    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
    Best Regards,
    Andy Qi
    TechNet Subscriber Support
    If you are
    TechNet Subscription user and have any feedback on our support quality, please send your feedback
    here.
    Andy Qi
    TechNet Community Support

  • Default domain Group Policy

    Hello,
    In my new company, I noticed that the default domain controllers policy has been (largely) modified.
    I thought it was a best practice to keep it clean (In case of restore).
    So I would like to create a new GPOs for my DCs to move some of those settings out of the default domain policy.
    For example, "Add workstations to domain". If I want to create a new policy for this particular setting, what kind of rules am I supposed to follow to make sure that my new setting will be applied before the default DC policy ?
    Is the GPO Link order enough ?
    Thank you

    Hi,
    Just a confirmation, did you mean that want to overwrite some settings in the
    Default Domain Controllers Policy?
    Within each domain, site, and OU, the
    Link Order controls the order in which GPOs are applied. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the
    Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest
    Link Order is processed last, and therefore has the highest precedence. Since Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, you can create a new GPO and link it to this Domain Controllers organizational
    unit, then control thier order of them via Link Order.
    If anything I misunderstand or any update, please feel free to let us know.
    Hope this helps.
    Best regards,
    Justin Gu

  • Unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine

    I am unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine. The error message i recieve is:
    "Failed to open the group policy object.  You might not have the appropriate rights.  Details: The volume for a file has been externally altered so that the open file is no longer valid."
    The domain controllers are running Windows 2012 R2 upgraded from Windows 2008 R2, the domain functional level is Server 2012.
    I am able to edit the policy from both a Windows 7 and Server 2008 R2 machine.
    The following post is identical however the fix for them does not work for me:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/2d968a05-2cff-4dd0-9c5d-dd810d1fa66f/cant-edit-default-domain-controllers-policy-on-windows-8-or-server-2012
    Any ideas?

    MuhammadUmar
    Yes, the Unique ID is available on 2012 server
    Lany Zhang
    This only affects the default domain controllers policy object
    Another user added to amins and tested has no effect
    It is the same on another server
    DCDiag passes all tests
    Thanks for all your help so far

  • Applying Domain controller policy to only one DC on a domain

    We want to apply the Microsoft supplied group policy "MSFT Windows Server 2012 R2 Domain controller Baseline" to only 1 out of our 6 Server 2012 R2 Domain controllers. This server is also set-up as an RODC and is in a DMZ
    hence hardening.
    Some of the settings within this policy would seem to be applicable to a domain rather than an individual server (DC), even though they are listed under "Local Policies".
    The following are only some examples, there may be others.......
    Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/Security Options, Other
    Domain member: Digitally encrypt or sign secure channel data (always)
    Microsoft network server: Digitally sign communications (always)
    Computer Configuration, Policies, Windows Settings, Security Settings, Local Polices/Security Options, Domain Controller
    Domain Controller: LDAP server signing requirements - Require signing
    Computer Configurati......, Local Policies/Security Options, Network Security
    Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients (and Servers) - Require NTLMv2 session security and Require 128-bit encryption
    My question is - If we apply this group policy to one DC only, will it affect any other Domain wide communication e.g. PCs to other DCs, Member servers to other DCs, DCs to DCs etc? I understand that after policy application, the DC may not function
    properly and we will need to test it and potentially relax some of the settings but we cannot afford to risk the rest of the domain from being affected. We are particularly concerned with the forcing of Digitally signing or encypting communications.
    Can anyone help?
    

    If configured incorrectly the policy might disable communication from or to the dc.
    That being said, I think you are pretty safe applying the listed policy items.
    MCP/MCSA/MCTS/MCITP

  • NTP Service on Domain Controller have problem with cisco switch

    Hello!
    I  have Windows Server 2008 R2 SP1 Domain Controller with NTP services
    The windows opertion system clients get NTP time ok.
    There are problem with cisco switch, can't get time from NTP.
    Can anybody help me to fix problem?
    C:\Users\Sysuser>w32tm /query /configuration
    [Configuration]
    EventLogFlags: 2 (Local)
    AnnounceFlags: 5 (Local)
    TimeJumpAuditOffset: 28800 (Local)
    MinPollInterval: 6 (Local)
    MaxPollInterval: 10 (Local)
    MaxNegPhaseCorrection: 1800 (Local)
    MaxPosPhaseCorrection: 1800 (Local)
    MaxAllowedPhaseOffset: 300 (Local)
    FrequencyCorrectRate: 4 (Local)
    PollAdjustFactor: 5 (Local)
    LargePhaseOffset: 50000000 (Local)
    SpikeWatchPeriod: 900 (Local)
    LocalClockDispersion: 10 (Local)
    HoldPeriod: 5 (Local)
    PhaseCorrectRate: 7 (Local)
    UpdateInterval: 100 (Local)
    [TimeProviders]
    NtpClient (Local)
    DllName: C:\Windows\system32\w32time.dll (Local)
    Enabled: 1 (Local)
    InputProvider: 1 (Local)
    AllowNonstandardModeCombinations: 1 (Local)
    ResolvePeerBackoffMinutes: 15 (Policy)
    ResolvePeerBackoffMaxTimes: 7 (Policy)
    CompatibilityFlags: 2147483648 (Local)
    EventLogFlags: 0 (Policy)
    LargeSampleSkew: 3 (Local)
    SpecialPollInterval: 3600 (Policy)
    Type: NTP (Policy)
    NtpServer: 10.7.0.4 (Policy)
    NtpServer (Local)
    DllName: C:\Windows\system32\w32time.dll (Local)
    Enabled: 1 (Local)
    InputProvider: 0 (Local)
    AllowNonstandardModeCombinations: 1 (Local)
    VMICTimeProvider (Local)
    DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
    Enabled: 1 (Local)
    InputProvider: 1 (Local)
    Cisco config and errors
    CISCO1#show ntp ass det
    10.7.0.7 configured, insane, invalid, stratum 3
    ref ID 10.7.0.4, time D5BC850F.C8400AB2 (15:50:39.782 MSK Mon Aug 19 2013)
    our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
    root delay 62.50 msec, root disp 11128.04, reach 377, sync dist 11218.796
    delay 6.06 msec, offset -467951.1096 msec, dispersion 56.49
    precision 2**6, version 3
    org time D5BC8864.F79C33A7 (16:04:52.967 MSK Mon Aug 19 2013)
    rcv time D5BC8A38.EBDECB39 (16:12:40.921 MSK Mon Aug 19 2013)
    xmt time D5BC8A38.EA5173BE (16:12:40.915 MSK Mon Aug 19 2013)
    filtdelay =     6.06    5.87    3.23    7.90    6.41    5.17   13.03    3.43
    filtoffset = -467951 -467905 -467936 -467885 -467764 -467816 -467707 -467697
    filterror =     0.02   15.64   31.27   46.89   62.52   78.14   93.75   93.78

    Hi,
     >>I gave log on as a service right to this account in Default Domain Controllers Policy but unfortunately it was not enough
    Based on your description, we can try to grant this account Allow log on locally
    user right in the default domain controller policy to see if it helps.
    The policy setting is:
    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
    Allow log on locally
    http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx#feedback
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
    Best regards,
    Frank Shen

  • Default Domain Policies

    By default, two polices are created when you dcpromo a server: Default Domain Policy, and Default Domain Controllers Policy. These polices should have guids of {31B2F340-016D-11D2-945F-00C04FB984F9} and {31B2F210-016D-11D2-945F-00C04FB981F1} respectively. However, in my 2003 domain, someone had renamed the default domain policy and put a new one named "Default Domain Policy". To make things worse, the Default Domain Controller Policy is missing but a new policy called "Default Domain Controllers Policy" is in its place. I currently have the following:
    Default Domain Policy -> {C0C9ADF5-8E49-499C-87B2-2804931871DA}
    Default Domain Policy - Disabled Original -> {31B2F340-016D-11D2-945F-00C04FB984F9}
    Default Domain Controllers Policy -> {6AC1786C-016F-11D2-945F-00C04fB984F9}
    I do not have backups of the original policies. I suspect the polices have been in this state for at least a year if not longer.
    What is the impact of leaving the policies in their current state?
    Should I attempt to restore the original policies using dcgpofix.exe?
    Will using dcgpofix cause any issues with my Exchange 2003 or SMS 2003 environments?
    Thanks,
    Sean

    Hi,
    The default policies created by the system should be:
    Default Domain Policy
    {31B2F340-016D-11D2-945F-00C04FB984F9}
    Default Domain Controllers Policy
    {6AC1786C-016F-11D2-945F-00C04fB984F9}
    These two policies are built-in policies that define default settings applies to domain users and computers.
    In this issue, I’d like to know whether the original Default Domain Policy is still linked to the domain or not. If yes, it will be OK even though it is renamed.
    Regards,
    Miles Li
    Microsoft Online Community Support
     

  • Unable to log onto domain controller with user account

    Hi,
    I am able to log onto my DC as domain admin. I cannot log on as myself. I do not see what I am missing in the GPO to make this happen? I am part of a server admin group and would like the server admin group to be able to log on to the domain controller to
    maintain the server. 
    Any suggestions?
    Wave~Chaser

    Log on to this DC and run rsop.msc and check the following policies:
    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally
    Add your self to Allow log on locally
    (in default domain controller policy - as I mentioned above) and make sure your user account not belong to any group that have Deny log on locally.
    Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

  • Cannot generate Account Logon Events (Event ID 4624) in Security Event Log on Server 2008 R2 Domain Controller

    I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
    Default Domain Controllers Policy
    Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
    What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
    System audit policy
    Category/Subcategory                      Setting
    System
      Security System Extension               No Auditing
      System Integrity                        No Auditing
      IPsec Driver                            No Auditing
      Other System Events                     No Auditing
      Security State Change                   No Auditing
    Logon/Logoff
      Logon                                   No Auditing
      Logoff                                  No Auditing
      Account Lockout                         No Auditing
      IPsec Main Mode                         No Auditing
      IPsec Quick Mode                        No Auditing
      IPsec Extended Mode                     No Auditing
      Special Logon                           No Auditing
      Other Logon/Logoff Events               No Auditing
      Network Policy Server                   No Auditing
    Object Access
      File System                             No Auditing
      Registry                                No Auditing
      Kernel Object                           No Auditing
      SAM                                     No Auditing
      Certification Services                  No Auditing
      Application Generated                   No Auditing
      Handle Manipulation                     No Auditing
      File Share                              No Auditing
      Filtering Platform Packet Drop          No Auditing
      Filtering Platform Connection           No Auditing
      Other Object Access Events              No Auditing
      Detailed File Share                     No Auditing
    Privilege Use
      Sensitive Privilege Use                 No Auditing
      Non Sensitive Privilege Use             No Auditing
      Other Privilege Use Events              No Auditing
    Detailed Tracking
      Process Termination                     No Auditing
      DPAPI Activity                          No Auditing
      RPC Events                              No Auditing
      Process Creation                        No Auditing
    Policy Change
      Audit Policy Change                     No Auditing
      Authentication Policy Change            No Auditing
      Authorization Policy Change             No Auditing
      MPSSVC Rule-Level Policy Change         No Auditing
      Filtering Platform Policy Change        No Auditing
      Other Policy Change Events              No Auditing
    Account Management
      User Account Management                 No Auditing
      Computer Account Management             No Auditing
      Security Group Management               No Auditing
      Distribution Group Management           No Auditing
      Application Group Management            No Auditing
      Other Account Management Events         No Auditing
    DS Access
      Directory Service Changes               No Auditing
      Directory Service Replication           No Auditing
      Detailed Directory Service Replication  No Auditing
      Directory Service Access                No Auditing
    Account Logon
      Kerberos Service Ticket Operations      No Auditing
      Other Account Logon Events              No Auditing
      Kerberos Authentication Service         No Auditing
      Credential Validation                   Success

    Hi Lawrence,
    After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
    setting was applied successfully.
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
    Best regards,
    Frank Shen

  • Unable to edit Default Domain policy on Server 2012 R2 domain controller

    Hello,
    I recently built a Server 2012 R2 domain controller and added it to my domain.  When trying to edit the default domain policy I get the following error:
    I can make edits to other GPO objects.  All the other domain controllers are Server 2008 and are able to edit that GPO.  The issue is on the Server 2012 box only.  I've checked the delegated permissions, I'm a domain admin, and have opened
    GPMC as administrator.  Does anyone know what I'm missing?  Thank you for your time.
    Tino

    Hi Tino,
    >>Could that be the problem?
    I don't think so, for we can still use FRS to replicate Sysvol. However, it is recommended that we use DFSR to replicate Sysvol if our domain
    function level is Windows Server 2008 or above.
    Besides, we can follow the suggestions from the following thread to check out which replication mechanism we are using.
    DFS-R on 2008 R2 by default?
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/8f2042d3-193d-4414-b9da-cbcedc6a4c32/dfsr-on-2008-r2-by-default?forum=winserverDS
    If the Sysvol is replicated by FRS mechanism, as I suggested in the last reply, we can do a non-authoritative restore for the Sysvol on the new Windows
    Server 2012. This will restore the Sysvol from a healthy DC.
    To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
    1. Click Start, and then click Run.
    2. In the Open box, type cmd and then press ENTER.
    3. In the Command box, type net stop ntfrs.
    4. Click Start, and then click Run.
    5. In the Open box, type regedit and then press ENTER.
    6. Locate the following subkey in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
    7. In the right pane, double-click BurFlags.
    8. In the Edit DWORD Value dialog box, type D2 and then click OK.
    9. Quit Registry Editor, and then switch to the Command box.
    10. In the Command box, type net start ntfrs.
    11. Quit the Command box.
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
    Hope it helps.
    Best regards,
    Frank Shen

Maybe you are looking for