How do you manage the Server 2019 Domain Controller baseline?

%3CLINGO-SUB%20id%3D%22lingo-sub-1265915%22%20slang%3D%22en-US%22%3EHow%20do%20you%20manage%20the%20Server%202019%20Domain%20Controller%20baseline%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1265915%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20interested%20in%20implementing%20the%20Server%202019%20security%20baselines.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20you%20manage%20the%20Server%202019%20Domain%20Controller%20baseline%3F%20The%20%3CSTRONG%3ELocal%20Policies%2FUser%20Rights%20Assignment%3C%2FSTRONG%3E%20and%20%3CSTRONG%3ELocal%20Policies%2FSecurity%20Options%3C%2FSTRONG%3E%20are%20very%20different%20from%20the%20DDCP%20(Default%20Domain%20Controller%20Policy).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20merge%20it%20with%20the%20DDCP%3F%20Or%20do%20you%20add%20the%20baseline%20GPO%20to%20the%20%3CEM%3EDomain%20Controllers%3C%2FEM%3E%20OU%20with%20a%20higher%20link%20order%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20the%20best%20practice%20here%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284614%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20you%20manage%20the%20Server%202019%20Domain%20Controller%20baseline%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284614%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F65328%22%20target%3D%22_blank%22%3E%40Daniel%20Niccoli%3C%2FA%3E%26nbsp%3Bplease%20don't%20merge%20it%20with%20the%20DDCP.%26nbsp%3B%20Link%20it%20to%20your%20DCs%20higher%20in%20the%20stack%20but%20PLEASE%20TEST%20before%20doing%20this%20as%20there%20are%20uniqueness's%20within%20every%20environment%20that%20you%20might%20need%20to%20account%20for.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

I'm interested in implementing the Server 2019 security baselines.

 

How do you manage the Server 2019 Domain Controller baseline? The Local Policies/User Rights Assignment and Local Policies/Security Options are very different from the DDCP (Default Domain Controller Policy).

 

Do you merge it with the DDCP? Or do you add the baseline GPO to the Domain Controllers OU with a higher link order?

 

What's the best practice here?

1 Reply

@Daniel Niccoli please don't merge it with the DDCP.  Link it to your DCs higher in the stack but PLEASE TEST before doing this as there are uniqueness's within every environment that you might need to account for.