Default Domain Group Policy – What Should Be Configured?

Ever since I started working with Microsoft Active Directory (AD) in July 2001, I have always wondered what should be configured in the Default Domain Group Policy Object (GPO).  I have had a couple of my AD mentors tell me what should be in the Default Domain GPO and I have parroted their recommendation for years now because I agree with them.  I am sure I also read somewhere in the past 12 years the Best Practices for this GPO but just have never been able to find it.  This morning I finally came across an article from Microsoft that clearly states what the Best Practices are for the Default Domain GPO.

Excuse me why I explain the journey that took me to the article.

I am currently rebuilding my lab to learn all the Microsoft System Center 2012 SP1 stuff.  I am using only Server 2012 for all my Virtual Machines (VMs).  With all the work I am doing with Server 2012 and since I am also planning on taking the Microsoft Private Cloud certification exams, I decided I needed to take the 70-417 exam (Upgrading your Skills to MCSA Windows Server 2012).  Since I have taken well over 200 certification exams since 1998, I consider myself a professional certification exam taker.  The first thing I do when I decide to take an exam is to look at what the vendor says will be on the exam.  Citrix and Microsoft calls that the Exam Preparation Guide.

The 70-417 exam is an upgrade exam for someone who already holds an earlier MCSA.  70-417 covers the same material as three other exams: 70-410, 70-411 and 70-412.  Microsoft offers a 70-417 study guide.

One of the items to be covered is recovering from a deleted GPO.  How do you recover a deleted (or from a really screwed up) Default Domain and or Default Domain Controllers GPO?  I haven’t had to recover from a deleted Default Domain GPO since 2005 or from a screwed up one since 2008.  Well you use the DCGpoFix command line utility.

Since I am a reader, I read the entire article.  Lo and behold, after all these years, I actually saw in writing from Microsoft the Best Practice I had been telling people about all these years.  Right there in the first paragraph under Examples:

As a best practice, you should configure the Default Domain Policy GPO only to manage the default Account Policies settings, Password Policy, Account Lockout Policy, and Kerberos Policy.

I cannot count the number of arguments I have had with Windows Admins over this.  And wouldn’t you know, my AD mentors have been correct all these years! 🙂

I once did a troubleshooting project for a Citrix XenApp 5 on Server 2003 environment for slow logons.  It seems ever since XenApp 5 had been installed and put into production, EVERY user on the network was experiencing slow logons and many other issues.  Naturally, of course, XenApp 5 received the blame.  The actual problem?  They had put over 800 lockdown configuration settings in the Default Domain GPO!!!!  And they wondered why every user on the network was affected!!!  Instead of having a separate Organizational Unit (OU) for the XenApp servers, they put them in the Computers Container (where you cannot directly apply any GPO).  They then put all their lockdown settings in the Default Domain GPO which instantly affected everyone.

The fix?

  1. Record the Account, Password, Account Lockout and Kerberos policy settings,
  2. Create an OU for the XenApp servers,
  3. Create a lockdown GPO and link it to the new XenApp server’s OU,
  4. Run DCGpoFix /domain to recreate the Default Domain policy,
  5. Edit the new Default Domain GPO and enter the recorded settings from Step 1 above,
  6. Move the XenApp servers to their new OU,
  7. Reboot the XenApp servers (necessary to affect the move to the new OU), and then
  8. Troubleshoot and fix remaining issues.

Projects like this are where I get the material for my “10 Things in AD…” presentations.  This is also why studying for certification exams can be beneficial.  Now I have proof I am correct in what I tell people should go in the Default Domain GPO.

Thanks

Webster

About Carl Webster

Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

View all posts by Carl Webster

7 Responses to “Default Domain Group Policy – What Should Be Configured?”

  1. Bill Says:

    Looking at our default domain policy, we see that there are several entries beyond the defaults. We’re not sure if these have been made by programs or services that have been installed on the domain over time. If we reset our default domain policy to the defaults and then apply the account modifications that we have made and documented, are we able to restore the current policy if this change causes other issues?

    Reply

    • Carl Webster Says:

      I would both backup the GPO (or all GPOs) and then save a report of the GPO so you have a record of all the settings. WOuld it be easier to recreate the policy or just remove the settings that shouldn’t be there?

      Thanks

      Webster

      Reply

  2. Anon Says:

    There’s also this page that reflects this same MS advice:

    Updating the Default Domain Policy GPO and the Default Domain Controllers Policy GPO
    http://technet.microsoft.com/en-us/library/dd378987(v=ws.10).aspx

    Reply

  3. Emmanuel Says:

    hello Carl, Thank you so much for the useful information. However i have some queries which is related to this article.
    1. I have only 1 PDC and about 15 users, some are using Win XP and others are using Win 7. The problem is it takes too long for logon and log off. I have been trying to troubleshoot this in vain.
    2. There is only one GPO, which is the default one for all users in the DC. I have created “Staff” OU where i pull all users in here and then also there is a default GPO. However, in windows 7 clients, on the event viewer I got errors like “Periodic policy processing failed for user TRAINING\etessua in 16 seconds.” What could be the issue here? PDC is on W2k3.

    Reply

  4. IcI Says:

    Thank you. Most certainly useful.

    You do have to question Microsoft though, why is this little nugget of information not clearly & boldly stated in any AD design document?

    Reply

  5. Prince C. Says:

    Bravo! And thanks for sharing. For, I am in the same shoes as you. I can’t begin to tell you how much I have argued that issue myself! Personally, I learned it a long time ago in one of my Windows 2000 training boot camp but for some reason, it stuck with me because I have had the privilege of building designing AD Forests in past and even present experiences. It is definitely refreshing to have something online and on the docs to refer would be doubters.

    Regards,
    Prince

    Reply

Leave a Reply