none
Default Domain Controllers Policy - not enforced or linked?

    Question

  • I was looking at the GPOs because new surface pro 3 with windows 10 are not having the GPOs applied.  While investigating this problem I came across the fact that the Default Domain Controllers Policy is not link enabled or enforced.  See below

     

    The environment was upgraded from server 2003 to server 2012 R2 last year.  I do not know how this happened but I can not believe that it is correct.  I am inclined to just enable the link but I do wonder if there will be any bad or disastrous effects.

    I would appreciate and comments or insights.

    Is there any reason why the GPO should not be enabled?

    Am I missing something?

    Thanks for any comments

    Paul


    • Edited by P Beaulieu Friday, March 4, 2016 4:41 PM added picture
    Friday, March 4, 2016 4:38 PM

Answers

All replies

  • Hello,

    The picture is not showing, re-upload it. By default, Default Domain Controllers Policy should be linked to Domain Controllers container and enabled. On the other hand, if you have non-default settings, it can be not necessary.


    My LinkedIn profile

    Friday, March 4, 2016 4:46 PM
  • I am a contractor at this site and it appears that very little was done in the way of GPO.  It looks like a standard install was done and 10 new GPOs were defined.  Most of the GPO were for deployment but it is not being used.

    Maybe the better way to look at this site is that it is basically a standard install.  So there is no other GPO to replace any of the functionality set by the Default Domain Controllers Policy.

    Friday, March 4, 2016 5:22 PM
  • It looks like a human mistake. The policy was disabled and should be enabled again.

    My LinkedIn profile

    Friday, March 4, 2016 5:35 PM
  • Default Domain Controllers Policy =/= Default Domain Policy

    The Default Domain Policy will be on the top of your Root directory, which should be inherited and enforced on all machines for most domains.

    Friday, March 4, 2016 5:39 PM
  • Hi,

    It is not recommended to disable the Default Domain Controllers Group Policy. The Guids for the Default Domain Controllers Group Policy and also the Default Domain Policy are hard coded in. Please refer to the following article to get more information:

    Just don't do it !

    http://blogs.technet.com/b/janelewis/archive/2007/04/24/just-don-t-do-it.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 7, 2016 3:04 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 10, 2016 8:18 AM
    Moderator
  • The information was helpful and I have re-enabled the Default Domain Controllers Policy. 

    Thanks

    Thursday, March 10, 2016 5:57 PM
  • Hi,

    I am glad to hear that the information is helpful to you. If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 11, 2016 2:13 AM
    Moderator