Ever since I started working with Microsoft Active Directory (AD) in July 2001, I have always wondered what should be configured in the Default Domain Group Policy Object (GPO). I have had a couple of my AD mentors tell me what should be in the Default Domain GPO and I have parroted their recommendation for years now because I agree with them. I am sure I also read somewhere in the past 12 years the Best Practices for this GPO but just have never been able to find it. This morning I finally came across an article from Microsoft that clearly states what the Best Practices are for the Default Domain GPO.
Excuse me why I explain the journey that took me to the article.
I am currently rebuilding my lab to learn all the Microsoft System Center 2012 SP1 stuff. I am using only Server 2012 for all my Virtual Machines (VMs). With all the work I am doing with Server 2012 and since I am also planning on taking the Microsoft Private Cloud certification exams, I decided I needed to take the 70-417 exam (Upgrading your Skills to MCSA Windows Server 2012). Since I have taken well over 200 certification exams since 1998, I consider myself a professional certification exam taker. The first thing I do when I decide to take an exam is to look at what the vendor says will be on the exam. Citrix and Microsoft calls that the Exam Preparation Guide.
The 70-417 exam is an upgrade exam for someone who already holds an earlier MCSA. 70-417 covers the same material as three other exams: 70-410, 70-411 and 70-412. Microsoft offers a 70-417 study guide.
One of the items to be covered is recovering from a deleted GPO. How do you recover a deleted (or from a really screwed up) Default Domain and or Default Domain Controllers GPO? I haven’t had to recover from a deleted Default Domain GPO since 2005 or from a screwed up one since 2008. Well you use the DCGpoFix command line utility.
Since I am a reader, I read the entire article. Lo and behold, after all these years, I actually saw in writing from Microsoft the Best Practice I had been telling people about all these years. Right there in the first paragraph under Examples:
As a best practice, you should configure the Default Domain Policy GPO only to manage the default Account Policies settings, Password Policy, Account Lockout Policy, and Kerberos Policy.
I cannot count the number of arguments I have had with Windows Admins over this. And wouldn’t you know, my AD mentors have been correct all these years!
I once did a troubleshooting project for a Citrix XenApp 5 on Server 2003 environment for slow logons. It seems ever since XenApp 5 had been installed and put into production, EVERY user on the network was experiencing slow logons and many other issues. Naturally, of course, XenApp 5 received the blame. The actual problem? They had put over 800 lockdown configuration settings in the Default Domain GPO!!!! And they wondered why every user on the network was affected!!! Instead of having a separate Organizational Unit (OU) for the XenApp servers, they put them in the Computers Container (where you cannot directly apply any GPO). They then put all their lockdown settings in the Default Domain GPO which instantly affected everyone.
- Record the Account, Password, Account Lockout and Kerberos policy settings,
- Create an OU for the XenApp servers,
- Create a lockdown GPO and link it to the new XenApp server’s OU,
- Run DCGpoFix /domain to recreate the Default Domain policy,
- Edit the new Default Domain GPO and enter the recorded settings from Step 1 above,
- Move the XenApp servers to their new OU,
- Reboot the XenApp servers (necessary to affect the move to the new OU), and then
- Troubleshoot and fix remaining issues.
Projects like this are where I get the material for my “10 Things in AD…” presentations. This is also why studying for certification exams can be beneficial. Now I have proof I am correct in what I tell people should go in the Default Domain GPO.