locked
Default Domain Policy keeps resetting to default RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Yesterday, one of our sysadmins demoted, upgraded the OS, then promoted back a domain controller. Since then our Default Domain Policy keeps reverting back to the default settings matching the local policy. If we go in and edit the GPO to make changes, it reverts back to the default within 15 minutes every time.

    We have tried keeping the GPO both managed by AGPM and not, and in both cases it still reverts. When it was managed by AGPM the info indicated the AGPM service account was what modified it. I then removed the AGPM service account's permissions from the GPO after removing it from AGPM management and the issue persists.

    I am lost as to where to look. I found a thread implicating perhaps local policy on a DC being edited as a culprit but I am unable to edit it on the DCs as a workaround. Any ideas would be welcome.

    Wednesday, March 21, 2018 11:45 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Well, we resolved this via best practices, i.e. not touching and using the Default Domain Policy. We created a new GPO with the desired settings and applied that.

    • Proposed as answer by Wendy Jiang Thursday, March 22, 2018 8:51 AM
    • Marked as answer by BryanCP Thursday, March 22, 2018 9:37 AM
    Wednesday, March 21, 2018 2:16 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Well, we resolved this via best practices, i.e. not touching and using the Default Domain Policy. We created a new GPO with the desired settings and applied that.

    • Proposed as answer by Wendy Jiang Thursday, March 22, 2018 8:51 AM
    • Marked as answer by BryanCP Thursday, March 22, 2018 9:37 AM
    Wednesday, March 21, 2018 2:16 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Actually, the best practice is not to ignore the Default Domain Policy, but to *not* edit local policy on DCs. There is a behavior (documented) where security changes in some of the areas in the local GPO on DCs will automatically be written back to the DDP. 

    Darren

    Darren Mar-Elia MS-MVP, Group Policy
    www.gpoguy.com
    www.sdmsoftware.com - "The Group Policy Experts"

    Wednesday, March 21, 2018 4:50 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I am glad that the issue is figured out. And appreciate your update and sharing the method to us. We would appreciate you to mark them as answers, it will be greatly helpful to others who have the same problem.

    Thank you for your effort again.

    Best regards,

    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 22, 2018 8:52 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    We were basing it off of this (admittedly quite old) article: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779159(v=ws.10). Specifically, the startement

    • Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.

    We actually never edited local policies on any DC. We have seen this type of behavior more than once when demoting a DC (DDP getting reset to default).

    Thursday, March 22, 2018 9:36 AM