I’m sometimes asked what the best practice is surrounding the Default Domain Policy and Default Domain Controllers Policy. Microsoft has some good guidance on this topic, but it’s not always clearly and consistently stated. Here’s a quick Q&A that might help.
Q. Is it ok to make changes to the DDP and DDCP GPOs, or should I leave them alone and create new policies?
A. The best practice recommendation from Microsoft is as follows:
- · To accommodate APIs from previous versions of the operating system that make changes directly to default GPOs, changes to the following security policy settings must be made directly in the Default Domain Policy GPO or in the Default Domain Controllers Policy GPO:
- · Default Domain Security Policy Settings:
- o Password Policy
- o Domain Account Lockout Policy
- o Domain Kerberos Policy
- · Default Domain Controller Security Policy Settings:
- o User Rights Assignment Policy
- o Audit Policy
Source: Best Practice Guide for Securing Active Directory Installations (https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx)
So, that’s it! If you want to apply other settings at the domain root level or to the Domain Controllers OU then you should create new GPOs and link them to the appropriate scope of management. The ordering of the GPOs shouldn’t really matter as you should have no overlapping settings. As a general rule of thumb, however, I would recommend assigning any new GPOs a higher precedence in case someone starts using the default GPOs for settings that are not on the “approved” list above. That way the new GPOs will win in any conflict.
Another reason to limit the settings in the default GPOs is to allow them to be re-created with minimal re-work in scenarios where they have gone missing or are corrupt and you don’t have a good backup. The method by which you can re-create the GPOs is using a tool called DCGPOFIX.EXE (https://technet.microsoft.com/en-us/library/hh875588.aspx). Bear in mind that this tool is a last resort following a major issue or disaster and you should really ensure you have good GPO backups, as per this article:
If you are in a disaster recovery scenario and you do not have any backed up versions of the Default Domain Policy or the Default Domain Controller Policy, you may consider using the Dcgpofix tool. If you use the Dcgpofix tool, Microsoft recommends that as soon as you run it, you review the security settings in these GPOs and manually adjust the security settings to suit your requirements. A fix is not scheduled to be released because Microsoft recommends you use GPMC to back up and restore all GPOs in your environment. The Dcgpofix tool is a disaster-recovery tool that will restore your environment to a functional state only. It is best not to use it as a replacement for a backup strategy using GPMC. It is best to use the Dcgpofix tool only when a GPO back up for the Default Domain Policy and Default Domain Controller Policy does not exist.
Q. We have disabled our DDP and DDCP GPOs and replaced them with new GPOs. Is that OK?
A. No, that’s not ok. The GPOs have a fixed GUID and can be targeted directly using these by the “legacy APIs” mentioned above.
31b2f340-016d-11d2-945f-00c04fb984f9: Default Domain Policy
6ac1786c-016f-11d2-945f-00c04fb984f9: Default Domain Controllers Policy
One well known application that directly modifies the Default Domain Controllers Policy is Microsoft Exchange. The installer adds the Exchange Servers group to the “Manage Auditing and Security Log” User Right (also referred to as SACL right). So, if you disable or unlink the GPO this right (and potentially others like it) it will go missing and will cause problems for Exchange.
Q. Is it OK to rename the DDP and DDCP GPOs?
A. If you feel you must do this I don’t believe it will have any impact, other than it might confuse people when they look for them. I’ve seen some customers rename the GPOs to align them with their in-house naming convention. As mentioned above, these GPOs are targeted using their well-known GUIDs, which is why the rename shouldn’t cause an issue.
You can find the renamed GPOs quite easily using the Group Policy cmdlets, e.g.
# Find the Default Domain Policy
Get-GPO -Guid 31b2f340-016d-11d2-945f-00c04fb984f9
# Find the Default Domain Controllers Policy
Get-GPO -Guid 6ac1786c-016f-11d2-945f-00c04fb984f9
Use the default GPOs for the approved specific purposes only. If you have other settings you need for the same scope of management, create new GPOs and link them with higher precedence than the default GPOs. Under no circumstances should you disable or unlink the GPOs. If you rename the default GPOs there should be no impact, but your mileage may vary.
Thanks for this post, interesting. I’d never seen this best practice before.
Also the link to the Guide for Securing AD installations does not work, but I found the article via a search. https://technet.microsoft.com/en-us/library/cc773164%28v=ws.10%29.aspx
https://technet.microsoft.com/en-us/library/dd378987%28v=ws.10%29.aspx this link (Updating the default domain policy GPO and the default domain controlles policy GPO) muddies the waters a bit as it recommends using the default domain policy for Audit Policy, User Rights, Security Options and Event Log Policies. Though it does also say that User Rights and Audit must be made to the default GPO..