Using Default PoliciesWith Windows 2000 or later, you create a domain by establishing the first domain controller for that domain. This typically means logging on to a stand-alone server as a local administrator, running the Domain Controller Installation Wizard (DCPROMO), and then specifying that you want to establish a new forest or domain. When you establish the domain and the domain controller, two GPOs are created by default: Show
These default GPOs are essential to the proper operation and processing of Group Policy. By default, the Default Domain Controllers Policy GPO has the highest precedence among GPOs linked to the Domain Controllers OU, and the Default Domain Policy GPO has the highest precedence among GPOs linked to the domain. As you’ll learn in the sections that follow, the purpose and use of each default GPO is a bit different. Working with the Default Domain Policy GPOThe Default Domain Policy GPO is a complete policy set that includes settings for managing any area of policy, but it isn’t meant for general management of Group Policy. As a best practice, you should edit the Default Domain Policy GPO only to manage the default Account policies settings and three specific areas of Account policies:
To manage other areas of policy, you should create a new GPO and link it to the domain or an appropriate OU within the domain. That said, several policy settings are exceptions to the rule that the Default Domain Policy GPO (or the highest precedence GPO linked to the domain) is used only to manage Account policies. These policies (located in the Group Policy Management Editor under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options) are as follows:
Additionally, certificates stored as policy settings for data recovery agents in the domain are also exceptions. These policies are stored under Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System). You typically manage these policy settings through the GPO that is linked to the domain level and has the highest precedence. As with Account policies, this is the Default Domain Policy GPO by default. Wondering why configuring policy in this way is a recommended best practice? Well, if Group Policy becomes corrupted and stops working, you can use the Dcgpofix tool to restore the Default Domain Policy GPO to its original state (which would mean that you would lose all the customized settings you’ve applied to this GPO). Further, some policy settings can only be configured at the domain level, and configuring them in the Default Domain Policy GPO (or the highest precedence GPO linked to the domain) makes the most sense. You can access the Default Domain Policy GPO in several ways. If you are using the GPMC, you’ll see the Default Domain Policy GPO when you click the domain name in the console tree, as shown in Figure 2-3. Right-click the Default Domain Policy node and select Edit to get full access to the Default Domain Policy GPO. Figure 2-3. Accessing the Default Domain Policy GPO in GPMC. In the Group Policy Management Editor, under Computer Configuration, expand Policies\Windows Settings\Security Settings\Local Policies as shown in Figure 2-4. You can then work with Audit Policy, User Rights Assignment, and Security Options as necessary. Figure 2-4. Editing the Default Domain Policy GPO. Working with the Default Domain Controllers Policy GPOThe Default Domain Controllers Policy GPO is designed to ensure that all domain controllers in a domain have the same security settings. This is important because all domain controllers in an Active Directory domain are equal. If they were to have different security settings, they might behave differently, and this would be counter to the way Active Directory is designed to work. If one domain controller has a specific policy setting, this policy setting should be applied to all domain controllers to ensure consistent behavior across a domain. The Default Domain Controllers Policy GPO is linked to the Domain Controllers OU. This ensures that it is applicable to all domain controllers in a domain as long as they aren’t moved from this OU. Because all domain controllers are placed in the Domain Controllers OU by default, any security setting changes you make will apply to all domain controllers by default. The key security areas that you should manage consistently include:
Microsoft recommends that you not make any other changes to the Default Domain Controllers Policy GPO. Keep in mind that this GPO applies only to domain controllers because it is linked to the Domain Controllers OU and all domain controllers are members of this OU by default. Moving a domain controller out of the Domain Controllers OU can adversely affect domain management and can also lead to inconsistent behavior during logon and authentication. Why? When you move a domain controller out of the Domain Controllers OU, the Default Domain Controllers Policy GPO no longer applies unless you’ve linked this GPO to the destination OU. Further, any GPO linked to the destination OU is applied to the domain controller. Therefore, if you move a domain controller out of the Domain Controllers OU, you should carefully manage its security settings thereafter. For example, if you make security changes to the Default Domain Controllers Policy GPO, you should ensure that those security changes are applied to domain controllers stored in OUs other than the Domain Controllers OU. You can access the Default Domain Controllers Policy GPO in several ways. If you are using the GPMC, you’ll see the Default Domain Controllers Policy GPO when you click the Domain Controllers node in the console tree. Then right-click the Default Domain Controllers Policy and select Edit to get full access to the Default Domain Controllers Policy GPO. How long does it take for a GPO to take effect?When you make a change to a group policy, you may need to wait two hours (90 minutes plus a 30 minute offset) before you see any changes on the client computers. Even then, some changes will not take effect until after a reboot of the computer.
How does GPO processing work?Each GPO is linked to an Active Directory container in which the computer or user belongs. By default, the system processes the GPOs in the following order: local, site, domain, then organizational unit. Therefore, the computer or user receives the policy settings of the last Active Directory container processed.
What is the function of GPO?It essentially provides a centralized place for administrators to manage and configure operating systems, applications and users' settings. Group Policies, when used correctly, can enable you to increase the security of user's computers and help defend against both insider threats and external attacks.
What does GPO status enabled mean?GPO link with the Enabled status means that this policy has been assigned and its settings are applied to all nested objects (OUs, computers, and users). You can manage GPO and link in the domain with the special graphical Group Policy Management snap-in.
|