Forum Discussion

wbaumgardt's avatar
wbaumgardt
Copper Contributor
Jan 18, 2024

Question Regarding Server 2022 Domain & Controller MSCT baselines

I have a basic 'Newbie' question regarding the MSCT baselines.   I see the GPO for 'MSFT Windows Server 2022 - Domain Controller' and also 'MSFT Windows Server 2022 - Member Server'.  I just want to ...
security baseline
katPedraza's avatar
katPedraza
Icon for Microsoft rankMicrosoft
May 23, 2024
No they do not replace the default domain controller policy. They are an enhancement to them. Take a look at the implementing security baselines on the premier/unified side of the hours. none of the settings should overlap the default domain controller policy, but you can verify that by utilizing the policy analyzer too.
AaronMargosis_Tanium's avatar
AaronMargosis_Tanium
Iron Contributor
May 24, 2024

katPedraza-- I think you're mistaken about that. The SCT's baselines for DCs have many settings that intentionally override the "Default Domain Controllers Policy" that ships in Windows and that is created automatically on DCs. Just as a couple of examples, the baselines' SeBackupPrivilege and SeRestorePrivilege user rights assignments intentionally override the default and grant the privilege only to Administrators.
(Also, you accidentally marked criiser's question as the "Microsoft Verified Best Answer."))

Resources