Remove From My Forums

Domain without any domain GPO?

Question

0

Sign in to vote

I would like to seek advice. There is this special request in our environment: We want to join all computers to a domain but we don't want any domain policy applied, the default domain policy will be disabled, no other policy will be created (domain controller policy will remain). As I have never done such an set up before and this practice is not found in any AD text, neither in any websites when I googled.

If no policy is applied, is it correct that only local policy will take effect? What happen to domain policy password?

Is there any impact to the operation of the domain or the members of domain?

Thanks in advance.

Valuable skills are not learned, learned skills aren't valuable.

Thursday, May 19, 2016 9:20 AM

Reply

|

Quote

Answers

0

Sign in to vote
Hi,

In my opinion, it is not come from default domain policy, it is directed into Active Directory database.

Within Windows Server 2008, you won't be establishing Account Policies with the Default Domain Policy. In fact, you won't be using GPOs for creating Account Policies for domain user accounts at all. In Windows Server 2008, you will be directed into the Active Directory database to make your modifications. Specifically, you will use a tool like ADSIEdit to modify the Active Directory object and its associated attributes.

For more information, you could refer to the part of Account Policy within Windows Server 2008 of the article below.

Windows Domain Password Policies

https://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx

Best Regards,

Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Jay GuModerator Monday, May 30, 2016 11:04 AM
- Marked as answer by Jay GuModerator Tuesday, June 7, 2016 3:09 AM
Friday, May 20, 2016 2:15 AM

Reply

|

Quote

Moderator

0

Sign in to vote
I did some tests.

When no domain policies are applied, password policy and account locked out policy of the domain no longer enforced on local accounts. All local accounts will still take the password policy and account locked out policy of the local security settings.

This means no policy, not even the password policy is applied to domain member when all domain GPO are disabled (de-linked).
Valuable skills are not learned, learned skills aren't valuable.
- Proposed as answer by Jay GuModerator Monday, May 30, 2016 11:04 AM
- Marked as answer by Jay GuModerator Tuesday, June 7, 2016 3:09 AM
Saturday, May 21, 2016 3:49 PM

Reply

|

Quote

All replies

0

Sign in to vote

> If no policy is applied, is it correct that only local policy will take

> effect?

Yes.

> What happen to domain policy password?

It will continue to be "effective", because its settings (account and

password policies) are written to the domain head (domain container

itself in LDAP).

> Is there any impact to the operation of the domain or the members of domain?

I don't see any.

Thursday, May 19, 2016 9:25 AM

Reply

|

Quote

0

Sign in to vote

> What happen to domain policy password?

It will continue to be "effective", because its settings (account and

password policies) are written to the domain head (domain container

itself in LDAP).

That means, the password policy and account lock-out policy will still come from default domain policy, even though it is being disabled?
Valuable skills are not learned, learned skills aren't valuable.

Thursday, May 19, 2016 2:51 PM

Reply

|

Quote

0

Sign in to vote
Hi,

In my opinion, it is not come from default domain policy, it is directed into Active Directory database.

Within Windows Server 2008, you won't be establishing Account Policies with the Default Domain Policy. In fact, you won't be using GPOs for creating Account Policies for domain user accounts at all. In Windows Server 2008, you will be directed into the Active Directory database to make your modifications. Specifically, you will use a tool like ADSIEdit to modify the Active Directory object and its associated attributes.

For more information, you could refer to the part of Account Policy within Windows Server 2008 of the article below.

Windows Domain Password Policies

https://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx

Best Regards,

Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Jay GuModerator Monday, May 30, 2016 11:04 AM
- Marked as answer by Jay GuModerator Tuesday, June 7, 2016 3:09 AM
Friday, May 20, 2016 2:15 AM

Reply

|

Quote

Moderator

0

Sign in to vote

> In my opinion, it is not come from default domain policy, it is directed

> into Active Directory database.

Correct. The domain object itself has attributes like minPwdAge,

maxPwdAge, minPwdLength and so on. As long as the DDP exists with its

default GUID, changes in the DDP will go into AD, and vice versa -

changes in AD will go back into the DDP (although this is not well known

at all :-))

Friday, May 20, 2016 10:43 AM

Reply

|

Quote

0

Sign in to vote
I did some tests.

When no domain policies are applied, password policy and account locked out policy of the domain no longer enforced on local accounts. All local accounts will still take the password policy and account locked out policy of the local security settings.

This means no policy, not even the password policy is applied to domain member when all domain GPO are disabled (de-linked).
Valuable skills are not learned, learned skills aren't valuable.
- Proposed as answer by Jay GuModerator Monday, May 30, 2016 11:04 AM
- Marked as answer by Jay GuModerator Tuesday, June 7, 2016 3:09 AM
Saturday, May 21, 2016 3:49 PM

Reply

|

Quote