What are the default settings for the "Default Domain Controller Policy"?

Heinzi

11/5/23, 4:27 PM

TL;DR: See title.

Background: Back in the "old days", we did a lot of bad things: We used the same server for Active Directory and other services (anyone remember Windows Small Business Server?), and did not follow best practices with respect to Group Policies.

Fortunately, those days are over, but we still use the same Active Directory domain as back then. We recently noticed that the "Default Domain Controller Policy" contains entries which are obviously no longer correct (as the most striking example, regular users and outdated service accounts can log on locally to our domain controllers). I'd like to "clean up" the policy and make sure that we follow up-to-date security recommendations.

I know that it's possible to reset this policy with dcgpofix.exe, but I'm afraid of breaking something by doing that. Instead, I'd like to

compare each current setting of the "Default Domain Controller Policy" with the default setting,
make sure I understand what this setting does, and
then reset it to the default setting if I'm sure that the modification is no longer needed.

To do that, however, I need to see the default "Default Domain Controller Policy", and a Google search on this fails me (probably due to the double meaning of "default" in this context). Hence my question:

What are the default settings for the "Default Domain Controller Policy" in a newly created Active Directory domain?

3885

2 + 2

active-directory

group-policy

windows-server-2016

TheCleaner

11/10/23, 4:27 PM

See here: http://www.sysadminlab.net/windows/restore-default-domain-policy-and-default-domain-controller-gpo-settings-to-default

Heinzi

11/10/23, 4:34 PM

@TheCleaner: Thanks, this screen shot is exactly what I was looking for.

Score:1

Server

Heinzi

11/10/23, 4:15 PM

Since you want to manually double-check each entry anyways, you can

look at the "Explain" tab in Group Policy Management Editor to see the default setting for domain controllers and
check Microsoft's documentation for the recommended setting.

As a concrete example, this is what the "Explain" tab says about the "Access this computer from the network" policy entry:

And this is what Microsoft's documentation recommends:

Best practices

[...]

On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators.

[...]

This setting includes the Everyone group to ensure backward compatibility. Upon Windows upgrade, after you've verified that all users and groups are correctly migrated, you should remove the Everyone group and use the Authenticated Users group instead.

As you can see, the default setting contains entries which are no longer required/recommended.

+ 0

Score:1

Server

TheCleaner

11/10/23, 11:27 PM

The information you are looking for is below:

SOURCE: http://www.sysadminlab.net/windows/restore-default-domain-policy-and-default-domain-controller-gpo-settings-to-default

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What are the default settings for the "Default Domain Controller Policy"?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.