Impact of Controller Policy on ASM

Similar Messages

• PrepareDomain should it modify the Domain Controller Policy?

  I have Exchange 2010 installed with two servers in a DAG.  I recently ran into a problem were two of the domain controllers were down and had to reboot both Exchange servers.  Exchange would not come back online because of the missing SACL right
  on the other domain controllers.
  http://blogs.technet.com/b/richardroddy/archive/2010/06/16/msexchange-adaccess-dsaccess-errors-and-the-manage-auditing-and-security-right.aspx
  I went ahead and ran exchange "setup /preparedomain" and I was able to get my DAG running again but when I check the "Default Domain Controllers Policy" it is not modified to allow the "Exchange Servers" group manage auditing
  and security log like I would expect it to.  There are no errors but it only modified the local domain controller policy.  So I would have to run this on every domain controller.

  Hi,
  According to your description, it seems like DC replication issue.
  I recommend you refer to the follwoing article to force sync manually:
  Force Replication Between Domain Controllers
  You can use this procedure to force Active Directory replication to occur between two domain controllers on a one-time basis when you want changes to be replicated from the server that received the changes to a server in another site sooner than the
  site link schedule allows. As an alternative, you can synchronize replication with all replication partners.
  Thanks.
  Niko Cheng
  TechNet Community Support

• Default Domain Controller Policy

  Hello All,
  We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
  We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
  But would like your advice about any new features which we can applied in our Default Domain Controller
  policy.
  Thanks.
  Thanks HA

  Hi,
  >>But would like your advice about any new features which we can applied in our Default Domain
  Controller policy.
  Regarding this point, the following articles can be referred to as reference.
  Chapter 4: Strengthening Domain and Domain Controller Policy Settings
  https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
  Applying Selected Domain and Domain Controller Policy Settings
  https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Default domain controller policy audit

  If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?

  If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?
  If I enable auditing in default domain controller policy, I see event only from all domain controller or
  see event from all workstation in domain
  ---NO you wont see workstations, only if editing the default domain policy, as described prior best practice would be to create a new GPO with a great name that you
  wont mix up such as "workstation audit GPO" and link to the site, domain or OU you require.
  Its not great practise IMO adding loads of stuff to default domain policy when you want to troubleshoot best to segregate GPOS with great easy to
  interpret names for brevity 

• Applying Domain controller policy to only one DC on a domain

  We want to apply the Microsoft supplied group policy "MSFT Windows Server 2012 R2 Domain controller Baseline" to only 1 out of our 6 Server 2012 R2 Domain controllers. This server is also set-up as an RODC and is in a DMZ
  hence hardening.
  Some of the settings within this policy would seem to be applicable to a domain rather than an individual server (DC), even though they are listed under "Local Policies".
  The following are only some examples, there may be others.......
  Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/Security Options, Other
  Domain member: Digitally encrypt or sign secure channel data (always)
  Microsoft network server: Digitally sign communications (always)
  Computer Configuration, Policies, Windows Settings, Security Settings, Local Polices/Security Options, Domain Controller
  Domain Controller: LDAP server signing requirements - Require signing
  Computer Configurati......, Local Policies/Security Options, Network Security
  Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients (and Servers) - Require NTLMv2 session security and Require 128-bit encryption
  My question is - If we apply this group policy to one DC only, will it affect any other Domain wide communication e.g. PCs to other DCs, Member servers to other DCs, DCs to DCs etc? I understand that after policy application, the DC may not function
  properly and we will need to test it and potentially relax some of the settings but we cannot afford to risk the rest of the domain from being affected. We are particularly concerned with the forcing of Digitally signing or encypting communications.
  Can anyone help?
  

  If configured incorrectly the policy might disable communication from or to the dc.
  That being said, I think you are pretty safe applying the listed policy items.
  MCP/MCSA/MCTS/MCITP

• Reboot domain controller changes audit policy on Default Domain Controller Policy

  This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
  I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
  I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
  All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
  Thanks and regards.

  Hi,
  >>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was  applied after rebooting?  Besides, we can also try to run command
  auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• USB Controller with ASMedia ASM 104x chipset

  Hello, I have read
  here that this controller USB chipset did not work with the developer preview SDK. Can anybody confirm if this still holds true?
  Thank you.

  Still true, we only support Intel/Renesas.
  Carmine Sirignano - MSFT

• Difference between domain controllers and group policy objects in GPMC

  Hello,
  Am in confusion, someone can tel me the difference between
  1.Domain controllers>default domain controller policy  and
  2.Group policy object>default domain controller policy
  In Group policy management console and also i would like know where to define these categories. I normally use second option.
  I have attached screenshot for your information.
   regards,
  Dharanesh,

  This first/upper item is a link to the GPO, the second/lower item is the actual GPO.
  (notice the link, has a shortcut arrow showing)
  by default, when you double-click on a link, a message will display which says "you have clicked on a link....." and the messagbox offers a checkbox for "do not display this message again..."
  Effectively they are equivalent to a shortcut-to-a-file vs. the actual file.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• NTP Service on Domain Controller have problem with cisco switch

  Hello!
  I  have Windows Server 2008 R2 SP1 Domain Controller with NTP services
  The windows opertion system clients get NTP time ok.
  There are problem with cisco switch, can't get time from NTP.
  Can anybody help me to fix problem?
  C:\Users\Sysuser>w32tm /query /configuration
  [Configuration]
  EventLogFlags: 2 (Local)
  AnnounceFlags: 5 (Local)
  TimeJumpAuditOffset: 28800 (Local)
  MinPollInterval: 6 (Local)
  MaxPollInterval: 10 (Local)
  MaxNegPhaseCorrection: 1800 (Local)
  MaxPosPhaseCorrection: 1800 (Local)
  MaxAllowedPhaseOffset: 300 (Local)
  FrequencyCorrectRate: 4 (Local)
  PollAdjustFactor: 5 (Local)
  LargePhaseOffset: 50000000 (Local)
  SpikeWatchPeriod: 900 (Local)
  LocalClockDispersion: 10 (Local)
  HoldPeriod: 5 (Local)
  PhaseCorrectRate: 7 (Local)
  UpdateInterval: 100 (Local)
  [TimeProviders]
  NtpClient (Local)
  DllName: C:\Windows\system32\w32time.dll (Local)
  Enabled: 1 (Local)
  InputProvider: 1 (Local)
  AllowNonstandardModeCombinations: 1 (Local)
  ResolvePeerBackoffMinutes: 15 (Policy)
  ResolvePeerBackoffMaxTimes: 7 (Policy)
  CompatibilityFlags: 2147483648 (Local)
  EventLogFlags: 0 (Policy)
  LargeSampleSkew: 3 (Local)
  SpecialPollInterval: 3600 (Policy)
  Type: NTP (Policy)
  NtpServer: 10.7.0.4 (Policy)
  NtpServer (Local)
  DllName: C:\Windows\system32\w32time.dll (Local)
  Enabled: 1 (Local)
  InputProvider: 0 (Local)
  AllowNonstandardModeCombinations: 1 (Local)
  VMICTimeProvider (Local)
  DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
  Enabled: 1 (Local)
  InputProvider: 1 (Local)
  Cisco config and errors
  CISCO1#show ntp ass det
  10.7.0.7 configured, insane, invalid, stratum 3
  ref ID 10.7.0.4, time D5BC850F.C8400AB2 (15:50:39.782 MSK Mon Aug 19 2013)
  our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
  root delay 62.50 msec, root disp 11128.04, reach 377, sync dist 11218.796
  delay 6.06 msec, offset -467951.1096 msec, dispersion 56.49
  precision 2**6, version 3
  org time D5BC8864.F79C33A7 (16:04:52.967 MSK Mon Aug 19 2013)
  rcv time D5BC8A38.EBDECB39 (16:12:40.921 MSK Mon Aug 19 2013)
  xmt time D5BC8A38.EA5173BE (16:12:40.915 MSK Mon Aug 19 2013)
  filtdelay =     6.06    5.87    3.23    7.90    6.41    5.17   13.03    3.43
  filtoffset = -467951 -467905 -467936 -467885 -467764 -467816 -467707 -467697
  filterror =     0.02   15.64   31.27   46.89   62.52   78.14   93.75   93.78

  Hi,
   >>I gave log on as a service right to this account in Default Domain Controllers Policy but unfortunately it was not enough
  Based on your description, we can try to grant this account Allow log on locally
  user right in the default domain controller policy to see if it helps.
  The policy setting is:
  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
  Allow log on locally
  http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx#feedback
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Unable to log onto domain controller with user account

  Hi,
  I am able to log onto my DC as domain admin. I cannot log on as myself. I do not see what I am missing in the GPO to make this happen? I am part of a server admin group and would like the server admin group to be able to log on to the domain controller to
  maintain the server. 
  Any suggestions?
  Wave~Chaser

  Log on to this DC and run rsop.msc and check the following policies:
  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally
  Add your self to Allow log on locally
  (in default domain controller policy - as I mentioned above) and make sure your user account not belong to any group that have Deny log on locally.
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• Custom Password Policy Settings

  Hello Friends,
  I am doing the server practical in virtual environment and wish to set a normal password for the test user "Robert Garcia"  so I disabled the password policy requirement in the gpmc.msc under "Default Domain Policy" and then did a gpupdate
  so that I can set a password as garcia for the user robert but it did not work. I did a system reboot then also it did not work.
  I did the same thing for the Default Domains Controller Policy option and still it is not working .
  What should be the correct method to disable this as I am in a test environment and simply want to keep simple passwords. Is there any requirement for system reboot or gpupdate should work and what could be the reason here that it is not working in either of
  the case??
  Thanks
  I noticed that I can't set a number as a password say 65789867 but when I disable the things in default domain policy then I can set the password  but still not the simple text garcia so what I need to edit and where now.
  Also if I need to enable a password policy like the first letter should be capital etc etc then where I can do this customization of password policy
  I can set a normal text as password but not the user's last name as password where I can change this customization. I understand that in production environment its not suggested but just in case where to do the customization??
  Thanks
  Regards

  Hi,
  In my testing environment, gpupdate is enough to make the policy changes taking effects.
  Here are a few suggestions for you:
  Please make sure that the Default Domain Policy is
  link enabled.
  Other than the Password must meet complexity requirements setting, please also disable other ones like Enforce password history, Minimum password length.
  If there is any password policy setting set as
  Not Defined in Default Domain Policy, please check password policy from
  Local Security Policy, in which settings could override the Not Defined ones.
  >if I need to enable a password policy like the first letter should be capital etc etc then where I can do this customization of password policy
  You may need to develop scripts to achieve this goal.
  The Official Scripting Guys Forum
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
  Best Regards,
  Amy

• Setting a loopback policy setting for Domain Controllers/Preventing IE from accessing externally

  Hello, we need to set a lookback policy for our domain controllers to ensure IE doesn't access externally. Is the loopback the best method, or do you all have recommendations?

  As far as I'm aware, there's not a good Group Policy setting to do this. 
  If I understand your question correctly, you wish to prevent external Internet browsing from your Domain Controllers, but everyone else (other servers and workstations) should have full access.
  If that's the case, I would recommend blocking port 80 for the Domain Controllers in your Firewall, as they (I hope) have static local IP addresses.
  If you know of a good Group Policy setting however, it would be best to set it in the Default Domain Controller Policy, as that will only affect the Domain Controllers.
  The "loopback" policy you're referring to is the "Configure user Group Policy loopback processing mode", which can be used to apply the computer configuration "instead of" or "merged with" the user configuration when
  a user logs on to computers where this policy applies. Since the computer configuration is normally applied before the user configuration, that can be used to force rules on computers regardless of who's logging in.
  Please mark as answer or vote
  as helpful when
  it applies. Thanks!

• Audit Policy setting in GPO

  HI,
  I would like to setup the audit setting for our company which will include mainly the "DS access" category. Also, we would like to disable the success logon / logoff as default and only enable the failure option in order to decrease the size of
  our security log.
  Should all those setting be set in the "Default Domain Policy" GPO or "Default Domain Controller Policy"? Or we need to setup another GPO for the setting as, suggest by MS, the "Default Domain Policy" should only contain the
  Password and Lockout policy.
  Thanks,
  Jerald Leung

  Hi Jerald,
  >>I would like to setup the audit setting for our company which will include mainly the "DS access" category.
  According to me, for auditing DS access, we can configure this setting in the default domain controller group policy.
  DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events
  are logged only on domain controllers.
  The following article has provided the step-by-step guide for configuring DS access audit settings.
  AD DS Auditing Step-by-Step Guide
  http://technet.microsoft.com/en-us/library/cc731607(v=WS.10).aspx
  Note: Audit events will only be generated on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL
  settings.
  >>we would like to disable the success logon / logoff as default and only enable the failure option in order to decrease the size of our security log.
  Audit "logon events" records logons on the PC(s) targeted by the policy and the results appear in the Security Log on that PC(s).
  If you want to just audit failure logon, you can configure the settings in the default domain policy or configure it in another GPO which links to the domain.
  In addition, we can set the maximum size of security log via group policy. Regarding this point, the following article can be referred to for more information.
  Maximum security log size
  http://technet.microsoft.com/en-us/library/cc776342(v=ws.10).aspx
  Best regards,
  Frank Shen

• RSOP showing RedX under defined policy

  Hi guys,
  We have basically no auditing on our 2008 R2 Domain Controllers.  It was working fine.  When I get on the DCs and run gpresult /r I can see that the default domain controller GPO is getting applied and is not being filtered.  When I go into
  rsop.msc on the DCs, I can look up auditing and see the correct policy settings coming from the Default Domain Controller policy, but those settings have a red X on them.  An example is
  (Red X)Policy:Audit account logon events     Computer Setting: Success,Faulre    Source GPO: Default Domain Controllers Policy
  I know that Group policy auditing can get a lot more granular with 2008R2, butI am getting almost nothing in the daily security logs.  When I do run gpresult /h and output the settings look correct there(no red X). In RSOP, when I do
  go to properties on one Red X settings, it says "the policy engine did not attempt to configure the setting" Any ideas?
  In the winlogon.log it mentions "Legacy audit settings are disabled.  skipped configuration of legacy audit settings"
  This is my guess as to the problem.  We do have an Advanced Audit Configuration setting set and so maybe the legacy policies were ignored.
  As soon as you start applying Advanced Audit Configuration Policy, legacy policies
  will be completely ignored. The only way to get a Win7/R2 computer to start using legacy policy is to set the security policy
  “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
  to DISABLED. -
  http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
  Dan Heim

  > I know that Group policy can get a lot more granular with 2008R2, butI
  > am getting almost nothing in the daily security logs.  Any ideas?
  Maybe AskDS can shed some light on that :)
  http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Default Domain Policies

  By default, two polices are created when you dcpromo a server: Default Domain Policy, and Default Domain Controllers Policy. These polices should have guids of {31B2F340-016D-11D2-945F-00C04FB984F9} and {31B2F210-016D-11D2-945F-00C04FB981F1} respectively. However, in my 2003 domain, someone had renamed the default domain policy and put a new one named "Default Domain Policy". To make things worse, the Default Domain Controller Policy is missing but a new policy called "Default Domain Controllers Policy" is in its place. I currently have the following:
  Default Domain Policy -> {C0C9ADF5-8E49-499C-87B2-2804931871DA}
  Default Domain Policy - Disabled Original -> {31B2F340-016D-11D2-945F-00C04FB984F9}
  Default Domain Controllers Policy -> {6AC1786C-016F-11D2-945F-00C04fB984F9}
  I do not have backups of the original policies. I suspect the polices have been in this state for at least a year if not longer.
  What is the impact of leaving the policies in their current state?
  Should I attempt to restore the original policies using dcgpofix.exe?
  Will using dcgpofix cause any issues with my Exchange 2003 or SMS 2003 environments?
  Thanks,
  Sean

  Hi,
  The default policies created by the system should be:
  Default Domain Policy
  {31B2F340-016D-11D2-945F-00C04FB984F9}
  Default Domain Controllers Policy
  {6AC1786C-016F-11D2-945F-00C04fB984F9}
  These two policies are built-in policies that define default settings applies to domain users and computers.
  In this issue, I’d like to know whether the original Default Domain Policy is still linked to the domain or not. If yes, it will be OK even though it is renamed.
  Regards,
  Miles Li
  Microsoft Online Community Support