I have no problem modifying those policies and wouldn't go through the additional overhead to populate two others to take their place, if you screw the replacements you are in a fairly similar position anyway. Plus those are the two least populated policies in any domain I ever control. You shouldn't be doing a ton of stuff in them. Honestly the stuff in the domain policy probably shouldn't be a group policy unless MS changed the attribs in AD to be non-replicating. Pretty silly to replicate something through AD and FRS. As for the domain controller policy, again you shouldn't be dorking around a lot in there.
If you are truly afraid of policies biting you, spin up an empty root and don't play with the policies AT ALL in that root. Finally, the last time I looked at a Microsoft Certification test was probably 7 years ago. After I took a class I would be able to ace one of those tests, but then when you work in the real world with the stuff for a while you get to a point where you can't even pass the exam (except net ess). Then you start to realize that the courseware and a good deal of the documentation is primarily propaganda. As I have said time and again, someone doesn't get good becoming an MCSE, they were either good before that or not. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Sunday, November 07, 2004 8:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome The same thing is in the Windows 2003 Deployment Kit: http://tinyurl.com/6qlkh Establishing Group Policy Operational Guidelines <quote> Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies. </quote> Whether or not it's worth following is another issue that I'd rather not buy into :-) however there was a question in the 294 exam that asked about this, so the official MCP way is as written Cheers Ken : -----Original Message----- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan : Sent: Monday, 8 November 2004 3:44 AM : To: [EMAIL PROTECTED] : Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows : Logon Welcome : : Hmm....That is the recommended best practice for modifying the default : Software Restriction Policy. : : : : -----Original Message----- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of ASB : Sent: Sunday, November 07, 2004 11:31 AM : To: [EMAIL PROTECTED] : Subject: Re: [ActiveDir] How to Enable a Warning Message During Windows : Logon Welcome : : Recommended Best Practices from Microsoft: : : http://www.microsoft.com/resources/documentation/windowsserv/2003/standard : /p : roddocs/en-us/srp_bp.asp : : ------ : Do not modify the default domain policy. : : If you do not edit the default domain policy policy, you always have : the option of reapplying the default domain policy if something goes : wrong with your customized domain policy. : ----- : : : : -ASB List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
