|
Hey Team..
Let's talk about the Default Group Policy Objects.
I get the question all the time of: "Should I modify the Default Group Policy objects?"
Here are the two schools of thought:
School of Thought #1
-----------------------------
Modify only the stuff that is specific to the "Default Domain Policy" GPO. Then, ensure that it has the highest precedence at the domain level. This guarantees that if anyone does link other GPOs to the domain level, this one always wins.
School of Thought #2
-----------------------------
Leave the defaults in the "Default Domain Policy" GPO. Never modify the "Default Domain Policy" GPO-ever. Create a new GPO for any special settings you want to override in the "Default Domain Policy" GPO. Then, link the GPO to the domain level, and ensure that it has higher precedence than the "Default Domain Policy" GPO.
Various Microsoft insiders have given me different (sometimes conflicting) advice about which to use. So what do I think?
If you want to modify any special domain-wide security settings, use School of Thought #1. This is the simplest and cleanest way. If you do it this way, you'll always treat the "Default Domain Policy" GPO with kid gloves and know it has a special use. And you can check in on it from time to time to make sure no one has lowered the precedence on it. Additionally, some applications, such as the older Microsoft SMS, will specifically modify the Default Domain Policy GPO. Hence, if you want that application to run smoothly, it's best to let it do what it wants to do.
School of Thought #2 has its merits. Leave the "Default Domain Policy" GPO clean as a whistle, and then create your own GPOs with higher precedence settings. However, I don't think this is a great idea, because you might forget that you set something important inside this new GPO.
Either way works, but my preference is for School of Thought #1.
|
