none
some query on default "Domain Controllers" OU

    Question

  • Windows Server 2008 R2

    i read that as per Microsoft recommendation, to not edit the "Domain Controllers" OU if i need to customised a gpo. if i create an OU containing all my DC servers and linked a  GPO to that OU, is it allowed? if it is, then i don't see the point of why one should not touch the "Domain Controllers" OU since all the DC serves there will be customised anyway.

    i could be wrong though.

    Sunday, January 01, 2017 8:30 AM

Answers

  • Microsoft Best Practice is to avoid editing the built-in "Default Domain Controllers Policy" (except for one caveat, explained in link below) and do not move the Domain Controllers to a new OU.  Those are very bad ideas.  Moving the DCs to a new OU will cause immediate problems because the "Default Domain Controllers Policy" will not be linked to it and the security policies contained within it will no longer apply.   

    Instead, create a new GPO, containing new settings you want to customize, and then link that new GPO to the Domain Controllers OU. This way, if something goes wrong with a setting in the new GPO, such as inadvertently locking users out of an AD-integrated application for example, you can simply un-link the new GPO, or even delete it, and the "bad" setting will be rolled off your domain controllers that easily.  For people who tend to not document, and they make a direct change to the built-in "Default Domain Controllers Policy" and a problem starts to occur, suddenly they could find their self troubleshootng in panic mode and changing the wrong things in order to fix something else that's never good.  

    Best practice for Default Domain Policy and Default Domain Controllers Policy


    Best Regards, Todd Heron | Active Directory Consultant

    • Marked as answer by Reno Mardo Monday, January 02, 2017 8:15 AM
    Sunday, January 01, 2017 2:08 PM
  • There are specific permissions and configurations applied to this OU and thus it is not advised to touch it. I have not tried creating a different OU and applying the same permission and GPOs but, assuming that you succeed to make it work with no issues, you may not be able to make it work the same way it does for "Domain Controllers" OU - As an example, when a new DC is promoted, it will automatically be moved to this OU.

    For the GPOs, it is advised to not touch the builtin one. However, you still can update it.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by Reno Mardo Monday, January 02, 2017 8:15 AM
    Sunday, January 01, 2017 9:20 PM

All replies

  • Microsoft Best Practice is to avoid editing the built-in "Default Domain Controllers Policy" (except for one caveat, explained in link below) and do not move the Domain Controllers to a new OU.  Those are very bad ideas.  Moving the DCs to a new OU will cause immediate problems because the "Default Domain Controllers Policy" will not be linked to it and the security policies contained within it will no longer apply.   

    Instead, create a new GPO, containing new settings you want to customize, and then link that new GPO to the Domain Controllers OU. This way, if something goes wrong with a setting in the new GPO, such as inadvertently locking users out of an AD-integrated application for example, you can simply un-link the new GPO, or even delete it, and the "bad" setting will be rolled off your domain controllers that easily.  For people who tend to not document, and they make a direct change to the built-in "Default Domain Controllers Policy" and a problem starts to occur, suddenly they could find their self troubleshootng in panic mode and changing the wrong things in order to fix something else that's never good.  

    Best practice for Default Domain Policy and Default Domain Controllers Policy


    Best Regards, Todd Heron | Active Directory Consultant

    • Marked as answer by Reno Mardo Monday, January 02, 2017 8:15 AM
    Sunday, January 01, 2017 2:08 PM
  • There are specific permissions and configurations applied to this OU and thus it is not advised to touch it. I have not tried creating a different OU and applying the same permission and GPOs but, assuming that you succeed to make it work with no issues, you may not be able to make it work the same way it does for "Domain Controllers" OU - As an example, when a new DC is promoted, it will automatically be moved to this OU.

    For the GPOs, it is advised to not touch the builtin one. However, you still can update it.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by Reno Mardo Monday, January 02, 2017 8:15 AM
    Sunday, January 01, 2017 9:20 PM
  • Hi Reno,

    In addition, you could refer to the thread discussed before.

    Default Domain Controllers OU vs other OU with Domain Controller Policy Applied?

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1cb96762-a6a7-4cd1-8fc6-2b68529d9fcc/default-domain-controllers-ou-vs-other-ou-with-domain-controller-policy-applied?forum=winserverDS

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 02, 2017 8:36 AM
    Moderator