Group Policy Basics : Default GPOs – Default Domain Policy

The Default Domain Policy is included for one primary reason, with some secondary reasons. The primary reason that the Default Domain Policy is included in Active Directory by default is to establish the Account Policies settings. The Account Policies settings control how user account passwords are defined in Active Directory, as well as in every SAM on every computer that joins the domain. Some of the many secondary reasons for the existence of the Default Domain Policy include autoenrollment settings for PKI, control of Encrypting File System (EFS), establishment of a company-wide screen saver lockout policy, and more.

Account Policies in the Default Domain Policy

From a security standpoint, one of the most important aspects of protecting the network is ensuring that user accounts have complex and secure passwords. The definition of complex and secure might not be the same everywhere, but there must be some form of baseline security regarding passwords on the network. The Default Domain Policy is responsible for defining that for a new Active Directory installation.

The question of where you can set user account password restrictions for an Active Directory domain has caused some confusion. The short answer is that you can establish password policies for domain user accounts in a GPO linked to the domain. By default, this is the Default Domain Policy. If you want to create a different set of password policies not in the Default Domain Policy, you can create a new GPO, configure your settings, link the GPO to the domain node, and then ensure that this GPO has higher precedence than the Default Domain Policy. 

Here are some other restrictions regarding password policies within a GPO to control domain user account password restrictions:

  • GPOs linked to organizational units will not affect the user accounts that are located in the organizational unit.

  • There is no way to configure a single GPO containing Account Policies settings to control multiple domains.

How It Works: Account Policies

The Account Policies within the GPOs that control domain user account passwords can be a bit confusing. However, when you understand how they work and the technology behind the settings, it will make much more sense. Some of the confusion involves where these Account Policies can be configured to control domain user account passwords. The answer is simple: in a GPO at the domain level only. The settings do not need to reside in the Default Domain Policy, but they must be in a GPO that is linked to the domain.

Another point of confusion results from the desire to configure the Account Policies within a GPO that is linked to an Organizational Unit, expecting these settings to affect the user accounts that reside in the Organizational Unit. This will not work! If you look at the location of the Account Policies within the GPO, you will see that they are not User Configuration settings. Rather, these settings are under Computer Configuration, so they affect computer accounts only, not user accounts.

The user account does not control the password; the location where the user account is stored controls the password. For a domain, this is domain controllers and Active Directory. For desktops and servers, this is the local SAM. Thus, the Account Policies must affect computer accounts, because the user accounts and their passwords are stored on computers.

A final point of confusion involves administrators of large or complex organizations attempting to have a single set of Account Policies control all of their domains and the user accounts in them. This is also not possible. The Account Policies, and Group Policy in general, are domain centric. (GPOs linked to sites can span domains, but the GPO is still stored in only one domain.) There is no technology built into Windows that allows you to configure a single set of Account Policies that will span multiple domains.

Account Policies are divided into three sections within a GPO: Password Policy, Account Lockout Policy, and Kerberos Policy. These are shown in Figure 1.

Figure 1. The Default Domain Policy is responsible for establishing the default Account Policies for the domain user accounts and all user accounts located on computers that join the domain.

 

Each of these sections provides options for controlling all areas of the user account password. Table 1 lists all of the possible policy settings that can be configured within these three sections.

Table 1. Default Domain Policy Default Account Policy Settings
Computer ConfigurationPolicy SettingDefault Value
Windows Settings \Security Settings \Account Policies \Password PolicyEnforce Password History24 passwords remembered
 Maximum Password Age42 days
 Minimum Password Age1 days
 Minimum Password Length7 characters
 Password must meet complexity requirementsEnabled
 Store passwords using reversible encryptionDisabled
Windows Settings \Security Settings \Account Policies \Account Lockout PolicyAccount lockout durationNot defined
 Account lockout threshold0 invalid log-on attempts
 Reset account lockout counter afterNot defined
Windows Settings \Security Settings \Account Policies \Kerberos PolicyEnforce user log-on restrictionsEnabled
 Maximum lifetime for service ticket600 minutes
 Maximum lifetime for user ticket10 hours
 Maximum lifetime for user ticket renewal7 days
 Maximum tolerance for computer clock synchronization5 minutes

Other Policy Settings in the Default Domain Policy

Still more default policies are set in the Default Domain Policy. The majority of the remaining settings are located within Computer Configuration\Windows Settings\Security Settings, as shown in Figure 2. These settings exist mainly to control the Public Key Infrastructure environment as a baseline.

Figure 2. The Default Domain Policy configures some important security settings for all computers that join the domain.

 

The User Configuration section contains a few other settings, which control some of the options for using Remote Installation Services (RIS). Table 2 provides a full list of all Default Domain Policy settings outside of the Account Policies.

Table 2. Default Domain Policy Default Configurations and Values
Computer ConfigurationPolicy SettingValue
Windows Settings \Security Settings \Local Polices\Security OptionsNetwork access: Allow anonymous SID/Name translationDisabled
 Network security: Do not store LAN Manager hash value on next password changeEnabled
 Network security: Force logoff when log-on hours expireDisabled
Windows Settings\Security Settings\Public Key Policies\Encrypting File System<Certificates>Administrator is configured for File Recovery

Default Domain Controllers Policy

The Default Domain Controllers Policy is extremely important for establishing the default security on domain controllers. Windows stand-alone and member servers are not secured as thoroughly as domain controllers, because they need to have more backward compatibility with applications and services that might be running on them. Domain controllers need to be secured more tightly, and the Default Domain Controllers Policy is responsible for making those configurations. Figure 3 shows some of the settings in the Default Domain Controllers Policy.

Figure 3. The Default Domain Controllers Policy creates the default security for all domain controllers that come into the domain.

 

Three main areas have settings within the Default Domain Controllers Policy. The first establishes the audit policies for the domain controllers. These settings ensure that the domain controllers are logging to the security event logs essential actions that occur. The second area is related to the user rights for the domain controllers. User rights establish which users can perform certain tasks on the computer. Because domain controllers need to be protected, the Default Domain Controllers Policy defines the user rights to create a baseline of security. Finally, some policies are defined to control network communication. The majority of these control whether data and communication will be digitally signed to increase security of the communication. One policy deals with the authentication protocols that the domain controllers will allow.

Table 3 lists all Default Domain Controllers Policy settings that are established by default. Note that user rights that are not filled in are either not defined or defined but left empty.

Table 3. Default Domain Controllers Policy Default Configurations and Values
Computer ConfigurationPolicy SettingValue
Windows Settings\Security Settings\Local Policies\User Rights AssignmentAccess this computer from the networkAdministrators

Authenticated Users

ENTERPRISE DOMAIN CONTROLLERS

Everyone

Pre-Windows 2000 Compatible Access

 Add workstations to the domainAuthenticated Users
 Adjust memory quotas for a processAdministrators

LOCAL SERVICE

NETWORK SERVICE

 Allow logon locallyAccount Operators

Administrators

Backup Operators

Print Operators

Server Operators

 Back up files and directoriesAdministrators

Backup Operators

Server Operators

 Bypass traverse checkingPre-Windows 2000 Compatible Access

Authenticated Users

Administrators

NETWORK SERVICE

LOCAL SERVICE

Everyone

 Change the system timeAdministrators

Server Operators

LOCAL SERVICE

 Create a pagefileAdministrators
 Debug programsAdministrators
 Enable computer and user accounts to be trusted for delegationAdministrators
 Force shutdown from a remote systemAdministrators Server Operators
 Generate security auditsLOCAL SERVICE NETWORK SERVICE
 Increase scheduling priorityAdministrators
 Load and unload device driversAdministrators Print Operators
 Log on as a batch jobPerformance Log Users Backup Operators
 Manage auditing and security logAdministrators
 Modify firmware environment variablesAdministrators
 Profile single processAdministrators
 Profile system performanceAdministrators
 Remove computer from docking stationAdministrators
 Replace a process level tokenLOCAL SERVICE NETWORK SERVICE
 Restore files and directoriesAdministrators

Backup Operators

Server Operators

 Shut down the systemAdministrators

Backup Operators

Print Operators

Server Operators

 Take ownership of files or other objectsAdministrators
Windows Settings\Security Settings\Local Policies\Local Polices\Security OptionsDomain controller: LDAP server signing requirementsNone
 Domain member: Digitally encrypt or sign secure channel data (always)Enabled
 Microsoft network server: Digitally sign communications (always)Enabled
 Microsoft network server: Digitally sign communications (if client agrees)Enabled
 Network security: LAN Manager authentication levelSend NTLMv2 response only