Re: [ActiveDir] Best practice for default domain controller policy

[Robbie Foust]

From everything I've read, configuring seperate policies is the right 
thing to do - but don't disable your default domain policies.  I think 
there are some settings that must be defined in the default policies, 
such as renaming the administrator account. (I think thats accurate - 
somebody correct me if I'm wrong)

Robbie Foust, IT Analyst
Systems and Core Services
Duke University


Wilkinson, Stephen wrote:
Hi All,

When we were designing our Win 2003 AD about this time last year, we 
were advised by our MCS consultant to copy the default domain and 
default domain controller policies, and then customise, rather than 
customising the default ones themselves.  Subsequently now we are in 
production, we have had a small DNS zone transfer problem which we 
escalated to Microsoft and the response from the engineer included a 
change to the "Manage auditing and security log" policy on the DCs..  No 
problem..  But he then went on to say

"Looking at the policy setup it could be either as I notice that the 
default domain controller policy is disabled and replaced with a home 
grown one. (As an aside that definitely not best practice - the two 
default policies have well know GUIDs and some security mechanisms rely 
on writing effective settings to those policies.)"

I was wondering if anyone had any comments on that -  as I thought we 
were doing the right thing - but I can't find any documentation to back 
up why we were doing it...

Regards

*Stephen Wilkinson*

Tel       +44(0)207 4759276
Mobile  +44(0)7973 143970
E-Mail:_ [EMAIL PROTECTED]


--------------------------------------------------------------------------------
The information contained herein is confidential and is intended solely 
for the
addressee. Access by any other party is unauthorised without the express
written permission of the sender. If you are not the intended recipient, 
please
contact the sender either via the company switchboard on +44 (0)20 7623 
8000, or
via e-mail return. If you have received this e-mail in error or wish to 
read our
e-mail disclaimer statement and monitoring policy, please refer to
http://www.drkw.com/disc/email/ or contact the sender.
--------------------------------------------------------------------------------
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/