Forum Discussion
Default Domain Controller Policy settings changed?
If anyone can provide some insight into how to address this potential group policy situation, I would really appreciate it. I was using Policy Analyzer to compare the Default Domain Controller Policy...
Hello,
If you migrated from 2000 to 2022 over the years, you can expect two things:
1) Default Domain Controllers Policy (and Default Domain Policy) are slighty different between those OS - Microsoft hardened and updated those policies over time.
2) It is very likely someone has tampered with those policies, directly modifying them instead of pushing those changes to a seperate policy. You may also inherite from settings applied by legacy configuration on domain controllers (by example, IIS_USRS rights may indicate someone installed IIS role on domain controllers in the past). Please note some changes may be justified, like permissions added for on-premises Exchange infrastructure.
If possible, current DDCP should match a DDCP extracted from a brand new 2022 domain lab, and I strongly recommend to fix the first one before implementing security baseline. Of course you must analyze and test such changes before implementing them.
Once done, you can start testing and implementing Security Baseline policy settings. Of course, be sure to apply through a separate GPO.
If you migrated from 2000 to 2022 over the years, you can expect two things:
1) Default Domain Controllers Policy (and Default Domain Policy) are slighty different between those OS - Microsoft hardened and updated those policies over time.
2) It is very likely someone has tampered with those policies, directly modifying them instead of pushing those changes to a seperate policy. You may also inherite from settings applied by legacy configuration on domain controllers (by example, IIS_USRS rights may indicate someone installed IIS role on domain controllers in the past). Please note some changes may be justified, like permissions added for on-premises Exchange infrastructure.
If possible, current DDCP should match a DDCP extracted from a brand new 2022 domain lab, and I strongly recommend to fix the first one before implementing security baseline. Of course you must analyze and test such changes before implementing them.
Once done, you can start testing and implementing Security Baseline policy settings. Of course, be sure to apply through a separate GPO.