none
Domain without any domain GPO?

    Question

  • I would like to seek advice. There is this special request in our environment: We want to join all computers to a domain but we don't want any domain policy applied, the default domain policy will be disabled, no other policy will be created (domain controller policy will remain). As I have never done such an set up before and this practice is not found in any AD text, neither in any websites when I googled.

    If no policy is applied, is it correct that only local policy will take effect? What happen to domain policy password?

    Is there any impact to the operation of the domain or the members of domain?

    Thanks in advance.


    Valuable skills are not learned, learned skills aren't valuable.

    Thursday, May 19, 2016 9:20 AM

Answers

  • Hi,

    In my opinion, it is not come from default domain policy, it is directed into Active Directory database.

    Within Windows Server 2008, you won't be establishing Account Policies with the Default Domain Policy. In fact, you won't be using GPOs for creating Account Policies for domain user accounts at all. In Windows Server 2008, you will be directed into the Active Directory database to make your modifications. Specifically, you will use a tool like ADSIEdit to modify the Active Directory object and its associated attributes.

    For more information, you could refer to the part of Account Policy within Windows Server 2008 of the article below.

    Windows Domain Password Policies

    https://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 20, 2016 2:15 AM
    Moderator
  • I did some tests.

    When no domain policies are applied, password policy and account locked out policy of the domain no longer enforced on local accounts. All local accounts will still take the password policy and account locked out policy of the local security settings.  

    This means no policy, not even the password policy is applied to domain member when all domain GPO are disabled (de-linked).


    Valuable skills are not learned, learned skills aren't valuable.

    Saturday, May 21, 2016 3:49 PM

All replies

  • > If no policy is applied, is it correct that only local policy will take
    > effect?
     
    Yes.
     > What happen to domain policy password?
     
    It will continue to be "effective", because its settings (account and
    password policies) are written to the domain head (domain container
    itself in LDAP).
     
    > Is there any impact to the operation of the domain or the members of domain?
     
    I don't see any.
     
    Thursday, May 19, 2016 9:25 AM
  •  > What happen to domain policy password?
     
    It will continue to be "effective", because its settings (account and
    password policies) are written to the domain head (domain container
    itself in LDAP).
     
    That means, the password policy and account lock-out policy will still come from default domain policy, even though it is being disabled?

    Valuable skills are not learned, learned skills aren't valuable.

    Thursday, May 19, 2016 2:51 PM
  • Hi,

    In my opinion, it is not come from default domain policy, it is directed into Active Directory database.

    Within Windows Server 2008, you won't be establishing Account Policies with the Default Domain Policy. In fact, you won't be using GPOs for creating Account Policies for domain user accounts at all. In Windows Server 2008, you will be directed into the Active Directory database to make your modifications. Specifically, you will use a tool like ADSIEdit to modify the Active Directory object and its associated attributes.

    For more information, you could refer to the part of Account Policy within Windows Server 2008 of the article below.

    Windows Domain Password Policies

    https://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 20, 2016 2:15 AM
    Moderator
  • > In my opinion, it is not come from default domain policy, it is directed
    > into Active Directory database.
     
    Correct. The domain object itself has attributes like minPwdAge,
    maxPwdAge, minPwdLength and so on. As long as the DDP exists with its
    default GUID, changes in the DDP will go into AD, and vice versa -
    changes in AD will go back into the DDP (although this is not well known
    at all :-))
     
    Friday, May 20, 2016 10:43 AM
  • I did some tests.

    When no domain policies are applied, password policy and account locked out policy of the domain no longer enforced on local accounts. All local accounts will still take the password policy and account locked out policy of the local security settings.  

    This means no policy, not even the password policy is applied to domain member when all domain GPO are disabled (de-linked).


    Valuable skills are not learned, learned skills aren't valuable.

    Saturday, May 21, 2016 3:49 PM