Windows Group Policy: Deploying Group Policy
- 2/11/2009
Using Default Policies
With Windows 2000 or later, you create a domain by establishing the first domain controller for that domain. This typically means logging on to a stand-alone server as a local administrator, running the Domain Controller Installation Wizard (DCPROMO), and then specifying that you want to establish a new forest or domain. When you establish the domain and the domain controller, two GPOs are created by default:
Default Domain Policy GPO. A GPO created for and linked to the domain within Active Directory. This GPO is used to establish baselines for a selection of policy settings that apply to all users and computers in a domain.
Default Domain Controllers Policy GPO. A GPO created for and linked to the Domain Controllers OU that is applicable to all domain controllers in a domain (as long as they aren’t moved from this OU). This GPO is used to manage security settings for domain controllers in a domain.
These default GPOs are essential to the proper operation and processing of Group Policy. By default, the Default Domain Controllers Policy GPO has the highest precedence among GPOs linked to the Domain Controllers OU, and the Default Domain Policy GPO has the highest precedence among GPOs linked to the domain. As you’ll learn in the sections that follow, the purpose and use of each default GPO is a bit different.
Working with the Default Domain Policy GPO
The Default Domain Policy GPO is a complete policy set that includes settings for managing any area of policy, but it isn’t meant for general management of Group Policy. As a best practice, you should edit the Default Domain Policy GPO only to manage the default Account policies settings and three specific areas of Account policies:
Password policy. Determines default password policies for domain controllers, such as password history and minimum password length settings.
Account lockout policy. Determines default account lockout policies for domain controllers, such as account lockout duration and account lockout threshold.
Kerberos policy. Determines default Kerberos policies for domain controllers, such as maximum tolerance for computer clock synchronization.
To manage other areas of policy, you should create a new GPO and link it to the domain or an appropriate OU within the domain. That said, several policy settings are exceptions to the rule that the Default Domain Policy GPO (or the highest precedence GPO linked to the domain) is used only to manage Account policies. These policies (located in the Group Policy Management Editor under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options) are as follows:
Accounts: Rename Administrator Account. Renames the built-in Administrator account on all computers throughout the domain, setting a new name for the account so that it is better protected from malicious users. Note that this policy affects the logon name of the account, not the display name. The display name remains Administrator or whatever you set it to. If an administrator changes the logon name for this account through Active Directory Users And Computers, it automatically reverts to what is specified in this policy setting the next time Group Policy is refreshed.
Accounts: Administrator Account Status. Forcibly disables the built-in Administrator account on all computers throughout the domain. If you disable the Administrator account, keep in mind that this account is always available when you boot a computer in safe mode.
Accounts: Guest Account Status. Forcibly disables the built-in Guest account on all computers throughout the domain. If you disable the Guest account, keep in mind that network logons will fail if you set the security option Network Access: Sharing And Security Model For Local Accounts to Guest Only.
Accounts: Rename Guest Account. Renames the built-in Guest account on all computers throughout the domain, setting a new name for the built-in Guest account so that it is better protected from malicious users. Note that this policy affects the logon name of the account, not the display name. The display name remains Guest or whatever else you set it to. If an administrator changes the logon name for this account through Active Directory Users And Computers, it automatically reverts to what is specified in this policy setting the next time Group Policy is refreshed.
Network Security: Force Logoff When Logon Hours Expire. Forces users to log off from the domain when logon hours expire. For example, if you set the logon hours as 8 A.M. to 6 P.M. for the user, the user is forced to log off at 6 P.M.
Network Security: Do Not Store LAN Manager Hash Value On Next Password Change. Determines whether at the next password change the LAN Manager hash value for the new password is stored. Because this value is stored locally in the security database, a password could be compromised if the security database was attacked. On Windows Vista and later, this setting is enabled by default. On Windows XP, this setting is disabled by default.
Network Access: Allow Anonymous SID/Name Translation. Determines whether an anonymous user can request security identifier (SID) attributes for another user. If this setting is enabled, a malicious user could use the well-known Administrators SID to obtain the real name of the built-in Administrator account, even if the account has been renamed. If this setting is disabled, computers and applications running in pre–Windows 2000 domains may not be able to communicate with Windows Server 2003 domains. This communication issue specifically applies to the following:
Windows NT 4.0–based Remote Access Service servers
Microsoft SQL Server running on Windows NT 3.x–based or Windows NT 4.0–based computers
Remote Access Service that is running on Windows 2000–based computers that are located in Windows NT 3.x domains or in Windows NT 4.0 domains
SQL Server is running on Windows 2000–based computers that are located in Windows NT 3.x domains or in Windows NT 4.0 domains
Users in Windows NT 4.0 resource domains who want to grant permissions to access files, shared folders, and registry objects to user accounts from account domains that contain Windows Server 2003 domain controllers.
Additionally, certificates stored as policy settings for data recovery agents in the domain are also exceptions. These policies are stored under Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System). You typically manage these policy settings through the GPO that is linked to the domain level and has the highest precedence. As with Account policies, this is the Default Domain Policy GPO by default.
Wondering why configuring policy in this way is a recommended best practice? Well, if Group Policy becomes corrupted and stops working, you can use the Dcgpofix tool to restore the Default Domain Policy GPO to its original state (which would mean that you would lose all the customized settings you’ve applied to this GPO). Further, some policy settings can only be configured at the domain level, and configuring them in the Default Domain Policy GPO (or the highest precedence GPO linked to the domain) makes the most sense.
You can access the Default Domain Policy GPO in several ways. If you are using the GPMC, you’ll see the Default Domain Policy GPO when you click the domain name in the console tree, as shown in Figure 2-3. Right-click the Default Domain Policy node and select Edit to get full access to the Default Domain Policy GPO.
Figure 2-3. Accessing the Default Domain Policy GPO in GPMC.
In the Group Policy Management Editor, under Computer Configuration, expand Policies\Windows Settings\Security Settings\Local Policies as shown in Figure 2-4. You can then work with Audit Policy, User Rights Assignment, and Security Options as necessary.
Figure 2-4. Editing the Default Domain Policy GPO.
Working with the Default Domain Controllers Policy GPO
The Default Domain Controllers Policy GPO is designed to ensure that all domain controllers in a domain have the same security settings. This is important because all domain controllers in an Active Directory domain are equal. If they were to have different security settings, they might behave differently, and this would be counter to the way Active Directory is designed to work. If one domain controller has a specific policy setting, this policy setting should be applied to all domain controllers to ensure consistent behavior across a domain.
The Default Domain Controllers Policy GPO is linked to the Domain Controllers OU. This ensures that it is applicable to all domain controllers in a domain as long as they aren’t moved from this OU. Because all domain controllers are placed in the Domain Controllers OU by default, any security setting changes you make will apply to all domain controllers by default. The key security areas that you should manage consistently include:
Audit policy. Determines default auditing policies for domain controllers.
User rights assignment. Determines default user rights assignment for domain controllers.
Security options. Determines default security options for domain controllers.
Microsoft recommends that you not make any other changes to the Default Domain Controllers Policy GPO. Keep in mind that this GPO applies only to domain controllers because it is linked to the Domain Controllers OU and all domain controllers are members of this OU by default.
Moving a domain controller out of the Domain Controllers OU can adversely affect domain management and can also lead to inconsistent behavior during logon and authentication. Why? When you move a domain controller out of the Domain Controllers OU, the Default Domain Controllers Policy GPO no longer applies unless you’ve linked this GPO to the destination OU. Further, any GPO linked to the destination OU is applied to the domain controller.
Therefore, if you move a domain controller out of the Domain Controllers OU, you should carefully manage its security settings thereafter. For example, if you make security changes to the Default Domain Controllers Policy GPO, you should ensure that those security changes are applied to domain controllers stored in OUs other than the Domain Controllers OU.
You can access the Default Domain Controllers Policy GPO in several ways. If you are using the GPMC, you’ll see the Default Domain Controllers Policy GPO when you click the Domain Controllers node in the console tree. Then right-click the Default Domain Controllers Policy and select Edit to get full access to the Default Domain Controllers Policy GPO.