Answered by:
Domain without any domain GPO?

-
I would like to seek advice. There is this special request in our environment: We want to join all computers to a domain but we don't want any domain policy applied, the default domain policy will be disabled, no other policy will be created (domain controller policy will remain). As I have never done such an set up before and this practice is not found in any AD text, neither in any websites when I googled.
If no policy is applied, is it correct that only local policy will take effect? What happen to domain policy password?
Is there any impact to the operation of the domain or the members of domain?
Thanks in advance.
Valuable skills are not learned, learned skills aren't valuable.
Question
Answers
-
Hi,
In my opinion, it is not come from default domain policy, it is directed into Active Directory database.
Within Windows Server 2008, you won't be establishing Account Policies with the Default Domain Policy. In fact, you won't be using GPOs for creating Account Policies for domain user accounts at all. In Windows Server 2008, you will be directed into the Active Directory database to make your modifications. Specifically, you will use a tool like ADSIEdit to modify the Active Directory object and its associated attributes.
For more information, you could refer to the part of Account Policy within Windows Server 2008 of the article below.
Windows Domain Password Policies
https://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Jay GuModerator Monday, May 30, 2016 11:04 AM
- Marked as answer by Jay GuModerator Tuesday, June 07, 2016 3:09 AM
-
I did some tests.
When no domain policies are applied, password policy and account locked out policy of the domain no longer enforced on local accounts. All local accounts will still take the password policy and account locked out policy of the local security settings.
This means no policy, not even the password policy is applied to domain member when all domain GPO are disabled (de-linked).
Valuable skills are not learned, learned skills aren't valuable.
- Proposed as answer by Jay GuModerator Monday, May 30, 2016 11:04 AM
- Marked as answer by Jay GuModerator Tuesday, June 07, 2016 3:09 AM
All replies
-
> If no policy is applied, is it correct that only local policy will take> effect?Yes.> What happen to domain policy password?It will continue to be "effective", because its settings (account andpassword policies) are written to the domain head (domain containeritself in LDAP).> Is there any impact to the operation of the domain or the members of domain?I don't see any.
-
> What happen to domain policy password?
It will continue to be "effective", because its settings (account andpassword policies) are written to the domain head (domain containeritself in LDAP).Valuable skills are not learned, learned skills aren't valuable.
-
Hi,
In my opinion, it is not come from default domain policy, it is directed into Active Directory database.
Within Windows Server 2008, you won't be establishing Account Policies with the Default Domain Policy. In fact, you won't be using GPOs for creating Account Policies for domain user accounts at all. In Windows Server 2008, you will be directed into the Active Directory database to make your modifications. Specifically, you will use a tool like ADSIEdit to modify the Active Directory object and its associated attributes.
For more information, you could refer to the part of Account Policy within Windows Server 2008 of the article below.
Windows Domain Password Policies
https://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Jay GuModerator Monday, May 30, 2016 11:04 AM
- Marked as answer by Jay GuModerator Tuesday, June 07, 2016 3:09 AM
-
> In my opinion, it is not come from default domain policy, it is directed> into Active Directory database.Correct. The domain object itself has attributes like minPwdAge,maxPwdAge, minPwdLength and so on. As long as the DDP exists with itsdefault GUID, changes in the DDP will go into AD, and vice versa -changes in AD will go back into the DDP (although this is not well knownat all :-))
-
I did some tests.
When no domain policies are applied, password policy and account locked out policy of the domain no longer enforced on local accounts. All local accounts will still take the password policy and account locked out policy of the local security settings.
This means no policy, not even the password policy is applied to domain member when all domain GPO are disabled (de-linked).
Valuable skills are not learned, learned skills aren't valuable.
- Proposed as answer by Jay GuModerator Monday, May 30, 2016 11:04 AM
- Marked as answer by Jay GuModerator Tuesday, June 07, 2016 3:09 AM