How to set group policy in windows server 2008 domain?

windows security windows-server-2008 domain group-policy
37,905

It sounds like you'd do well to get some background information on Group Policy before you begin making changes. Some background information on Active Directory would probably help you, too.

I'd recommend strongly against modifying the "Default..." Group Policy Objects (GPOs) that are created in Active Directory by default. You can create your own GPOs that contain your custom settings. By leaving these settings in their default state you create a situation you can disable all your custom GPOs and return everything into a default state.

To answer your specific queries (at the risk of repeating what TechNet says):

The "Default Domain Policy" is a GPO created during the creation of your Active Directory domain that contains settings that, by default, apply to all computer and user accounts in the domain. (Using the "Block Inheritance" functionality on individual OUs allows this behavior to be overridden, but that's more of an advanced topic.) The main default setting that comes out of this GPO is the domain password policy. This setting controls the parameters associated with user account lock-out and user passwords (length, complexity, expiration, re-use).

The "Default Domain Controllers Policy" is another GPO created during the creation of your Active Directory domain. It contains settings that are only applied to Domain Controller (DC) computers (that is, those computers that host copies of the Active Directory database and perform authentication functions). The main default settings that come out of this GPO in Windows 2003 and newer Windows versions are to limit the DCs to "talking to" clients that support digitally-signed Server Message Block (SMB) packets. The purpose of this setting is to increase security.

The specific details of how Group Policy is applied by users or computers is somewhat involved. In general, though, Group Policy objects are applied in the order they are encountered starting at the top of the domain and proceeding down through OUs to the computer object. The easiest way that I can relate to think about "precedence" or "conflicts" between GPOs is to imagine that all the settings are applied as each GPO is encountered, with the "effective" setting being the last setting applied to a given item.

An example: A GPO is linked at the domain sets the computer's "Offline Files" feature to "Enabled". Another GPO is linked at the OU where the computer object is located that sets the "Offline Files" feature to disabled. Because the last GPO to be applied would be the GPO linked to the OU where the computer object is located is applied last the "effective setting" for the computer would be to leave "Offline Files" in the disabled state.

The "Block Inheritance" and "No Override" functionality add complexity and powerful functionality. WMI filtering, security group filtering, and loopback policy processing add a lot of additional complexity, too, and are worth learning about. I wouldn't recommend learning about any of these features, though, until you have a good background on the general behavior of the product.

Share:
37,905

Related videos on Youtube

afolabiabass
Author by

afolabiabass

Responsibility breeds fulfillment.

Updated on September 18, 2022

Comments

  • afolabiabass
    afolabiabass over 1 year

    I need to apply group policy to several computers in a Windows Server 2008 domain. After running gpmc.msc, we can see Default Domain Policy and Default Domain Controller Policy

    1. Can you tell me their difference?
    2. Which policy is effective?

    Source: SBS Diva (https://msmvps.com/blogs/bradley/archive/2009/05/29/group-policy-defaults-for-sbs-2008.aspx)

    technet say this but I don't understand it:

    Default Domain Policy is linked to the domain object and affects all users and computers in the domain (including computers that are domain controllers) through policy inheritance.

    Default Domain Controllers Policy is linked to the Domain Controllers OU. This policy generally affects only domain controllers, because by default, computer accounts for domain controllers are kept in the Domain Controllers OU.

  • afolabiabass
    afolabiabass almost 13 years
    I am sorry that I am new to Active Directory. If both policies are effective, what will happen if they have conflicting values? I found that DC means Domain Component. Am I correct that all computers joining the domain are called Domain Component, so both policies are effective?
  • Admin
    Admin almost 13 years
    @Seubei: DC means domain controller, which is a computer running Windows Server that processes logons among other things. I'm assuming you want to apply the policy to more than just servers, so you want to use the Default Domain Policy.
  • Spence
    Spence almost 13 years
    @Patches: "DC" means "domain component" in LDAP paths, but I agree with your suspicion that @Seubei probably means "domain controller" in the context of this question. Having said that I'd strongly recommend against modifying the default GPOs in AD.
  • Rob Moir
    Rob Moir almost 13 years
    @seubei I can only echo what Evan has said here, especially the first two paragraphs. You need to have a better understanding of how AD and GPOs work before you can safely/usefully modify them.
  • Rob Moir
    Rob Moir almost 13 years
    -1 It's really bad practice to modify the default GPOs. Better to suggest how to create and apply new GPOs at the same levels.
  • afolabiabass
    afolabiabass almost 13 years
    @Robert Moir Well, everyone is wishing for the the best brief, but reality is.... Anyway, As far as I understand, the policy is applied to the following other: 1. Default Domain Policy 2. Default Domain Controllers Policy
  • afolabiabass
    afolabiabass almost 13 years
    @Patches: Thank you! I would like to give a +1 to you. I would also consider the best practice when I design the policy next time.
  • Spence
    Spence almost 13 years
    @Seubei: In a situation where all the default settings are still applied to the "Default Domain Policy" and "Default Domain Controllers Policy" GPOs and GPlinks, and the defaults for "Block Inheritance" are still applied to the "Domain Controllers" OU this would be true. There are a lot of things that, if tweaked from the "stock" settings, could end up making that not true.
  • afolabiabass
    afolabiabass almost 13 years
    Thank you. Your answer helped me to arrive at this site which may be useful for others :)
  • uSlackr
    uSlackr almost 13 years
    @RobertMoir Can you point to that "best practice" documented somewhere? I've never heard that. Either way, I did answer his question whether you like the approach or not
  • uSlackr
    uSlackr almost 13 years
    @Seubei I clarified my post to use domain controller.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Folder Redirection GPO setting desktop but not showing it
Configuring group policy to bypass proxy server for local addresses and adding a domain to trusted root certificate authorities
Can't edit Local Security Policy
Is there anyway to remove denied permissions from a group for a folder if I dont have access?
Windows XP - Forced to login as Guest when accessing a computer through Windows Explorer
Default Domain Policy Overriding Custom GPO even though Custom GPO is Enforced
How to remove programs from the start menu windows 7 client using a GPO managed on window server 2008 r2
Change Date Format for Existing Users on Windows Server 2008R2
Allow a domain user access to administrative shares on some PCs
connecting ipads to a windows domain