Microsoft Windows Server 2008 R2 SP1 x64 new domain Default Domain Policy defaults

Discussion in 'Networking & Security' started by Cerulean, Mar 16, 2014.

  1. Cerulean

    Cerulean [H]ardForum Junkie

    Messages:
    9,236
    Joined:
    Jul 27, 2006
    Greetings,

    Because nobody else has done it and I know there are many out there that have tried to find this kind of information but was unsuccessful nor had the time or resources available to spin up a VM to "quickly" setup a new test domain just to get this info... I hereby present you a report of the defaults for Default Domain Policy and Default Domain Controller Policy:

     
  2. /usr/home

    /usr/home [H]ardness Supreme

    Messages:
    6,166
    Joined:
    Mar 18, 2008
    Or just not change the defaults and create a new linked one.
     
  3. dbwillis

    dbwillis [H]ardness Supreme

    Messages:
    7,294
    Joined:
    Jul 9, 2002
    Yeh, I never ever change the default GPO's
    Always create new ones and link in the originals place so you can fall back
     
  4. Soldier101

    Soldier101 Gawd

    Messages:
    621
    Joined:
    Jan 8, 2002
    Thanks for the post. I am sure someone Has messed up before and been without the defaults. This will help them out by time.

    Then of course they will hopefully do what others in this thread have mentioned to prevent the issue from occurring again
     
  5. Crystal Gaol

    Crystal Gaol [H]Lite

    Messages:
    88
    Joined:
    Mar 11, 2014
    You can also just use DCGPOFix. Already baked into the operating system.
     
  6. Cerulean

    Cerulean [H]ardForum Junkie

    Messages:
    9,236
    Joined:
    Jul 27, 2006
    Some people may not be comfortable running that on a live production system.
     
  7. Crystal Gaol

    Crystal Gaol [H]Lite

    Messages:
    88
    Joined:
    Mar 11, 2014
    Fair enough, but if you're at this point - you're kinda screwed. :) Even Microsoft's own documentation clearly indicates it is the option of last resort.

    But two flaws in both of our plans that I found:

    1) dcgpofix and your hard copy won't restore the EFS recovery certificate in the event that is nuked.
    2) The hard copy doesn't document delegations.

    These are two things that I found when I started intentionally mucking around with the default GPOs... gotta say, never did that before. :)

    Using the built-in GPO backup utility is pretty simple and it even keeps track of versions of the same GPO - it simply works. In fact, it is what I used each time to recover whatever I did to my defaults during this experiment. Also something that I've never had to do in production. This is the best (only?) option to go with.

    Anyway - good luck.