Default Domain GPO - Password, Account and Kerberos settings getting blocked?

    General discussion

  • The company I work at has a Win2008R2 domain.  With 2000/2003 it seems like there was special exceptions that you could not block the Password, Account and Kerberos in the Default Domain GPO.  So even if the Default Domain GPO was not enforced, those settings still flowed past the blocking of inheritance.  Then 2008r2 came out and had Fine-Grained Password settings where you could have different settings at the OU level that would override the Password, Account and Kerberos you specify at the Domain level.  So now I think it behaves just like any other group policy.  I believe this is how it works.  If there are any special exceptions or rules for these settings in the Default Domain GPO on a 2008r2 domain, let me know.

    The company I work at has Password and Account settings specified in the Default Domain Controllers GPO and Default Domain GPO.  On the domain controllers everything is being applied and working correctly.  Domain accounts always lockout, etc.  I just noticed that the "Servers" OU, has a block on it that is not being overridden by the Default Domain GPO(not enforced).  The result is that Servers do not have these Password, Account and Kerberos for their local accounts.  What I think happened is the domain was upgraded from 2003 to 2008r2 and those special settings that use to flow through, started getting blocked like thgey would with any other GPO.  I tested and can attempt a brute force against a local account on a server, without getting locked out.  There is a big concern from the security side of things, so I am planning on applying the Password, Account and Kerberos settings to each server as well as the Domain Controllers. Are there any weird security exceptions to the Default Domain GPO anymore for these settings?  If those settings are getting blocked, and nothing is applied, I think Windows reverts back to nothing by default.  At least that is the way it looks.  This should be an easy one for a GPO expert, but my question is more about any special exceptions that might still exist for Password, Account and Kerberos settings being applied at a domain level.


    • Edited by DaveBryan37 Saturday, January 31, 2015 3:52 AM
    Saturday, January 31, 2015 12:30 AM

All replies

  • Hi,

    If your "Default Domain GPO" is not enforced, it wont apply to any OU were you enable 'block inheritance', that's expected behavior.

    If you wish to ensure "Default Domain GPO" is applied to the entire domain, link it to domain root and enforce it.

    If you have mulitple gpo's that are enforced, the first one to apply will 'win'


    Yes, when computer/user falls out of scope, a setting, set by policy (not preferenece (by default)) will go back to the last- or default value. The default account is '0', which means 'no limit', so thats the reason you wont get locked out.

    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Saturday, January 31, 2015 10:36 AM
  • There use to be exceptions to thos normal rules for these specific settings in the Default Domain GPO.  I think that went away with 2008, but trying to double-check those special exceptions

    Dan Heim

    Monday, February 2, 2015 3:42 PM