Microsoft Windows Server 2008 R2 SP1 x64 new domain Default Domain Policy defaults

Cerulean

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,476
Greetings,

Because nobody else has done it and I know there are many out there that have tried to find this kind of information but was unsuccessful nor had the time or resources available to spin up a VM to "quickly" setup a new test domain just to get this info... I hereby present you a report of the defaults for Default Domain Policy and Default Domain Controller Policy:

 
Yeh, I never ever change the default GPO's
Always create new ones and link in the originals place so you can fall back
 
Thanks for the post. I am sure someone Has messed up before and been without the defaults. This will help them out by time.

Then of course they will hopefully do what others in this thread have mentioned to prevent the issue from occurring again
 
Cerulean said:
Some people may not be comfortable running that on a live production system.
Click to expand...
Fair enough, but if you're at this point - you're kinda screwed. :) Even Microsoft's own documentation clearly indicates it is the option of last resort.

But two flaws in both of our plans that I found:

1) dcgpofix and your hard copy won't restore the EFS recovery certificate in the event that is nuked.
2) The hard copy doesn't document delegations.

These are two things that I found when I started intentionally mucking around with the default GPOs... gotta say, never did that before. :)

Using the built-in GPO backup utility is pretty simple and it even keeps track of versions of the same GPO - it simply works. In fact, it is what I used each time to recover whatever I did to my defaults during this experiment. Also something that I've never had to do in production. This is the best (only?) option to go with.

Anyway - good luck.
 
You must log in or register to reply here.
Back
Top