Just don’t do it !

Well I am back of the Easter break and here is my first post Easter Post !I have been on quite a few customer sites recently where either the Default Domain Controllers Group Policy has been disabled or additionally the customer has moved the domain controllers out of the the default Organisational Unit.

Ok  - this is not recommended best Practice on either of the above. The reasons are as follows;

Disabling the Default Domain Controllers  Group Policy Object.

It is not recommended to disable this Group Policy completely from being applied to the domain controllers across your estate. The Guids for the Default Domain Controllers Group Policy and also the Default Domain Policy are hard coded in.

Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}

DC GPO GUID {6AC1786C-016F-11D2-945F-00C04FB984F9}

This means that often 3rd Party Applications expect and look for these Group Policy objects to be there. Also it is expected to have complete consistency across the Domain to the type of Privileges and User Rights assigned to Domain Controllers. This is achieved 100% by having the Default Domain Controllers having their Default Domain Controllers Group Policy applied to them. If you modify this in any way potentially unexpected results could occur, like losing the right to logon locally to your Domain Controllers, or Access it from the Network !.

If you must use a different Group Policy for your Domain Controllers simply modify the order in which the Policies are being processed by having the Default Domain Controllers Policy running at a lower priority and your customised Domain Controller Policy running at a higher priority.

Moving the Default Domain Controllers Policy out of the Default Domain OU.

This is definitely not Best Practice. This is not recommended or even supported. Please see the below extract.

Moving Administrative Workstation Accounts into the Admin Workstations OU

Move the computer accounts for workstations used by administrators into the Admin Workstations OU in your controlled subtree.

IMPORTANT: Do not move any domain controller accounts out of the default Domain Controllers OU, even if some administrators log on to them to perform administrative tasks. Moving these accounts will disrupt the consistent application of domain controller policies to all domains, and is not supported."

Pasted from <http://www.microsoft.com/technet/security/guidance/networksecurity/sec_ad_admin_groups.mspx>

So......don?t do it !

Skip to main content