I’ve been doing work lately with Group Policy objects and decided I’d write a post about this in particular.
There are two important GPOs for every domain – the Default Domain Group Policy and the Default Domain Controllers Group Policy.
These are by far the two most important GPOs for any domain. They control all of the defaults of the domain and the domain controllers and as such they can either make life blissful or turn things into an unmitigated disaster quickly.
The best approach to take with deciding whether or not a setting should be placed in either of these is to look at three things.
First – Is the setting one you want to have apply to all machines and/or users in the domain or all domain controllers no matter what? After all, these are the defaults. One such setting that is commonly looked at is a logon banner. If there is only one such banner that will be displayed for everything the Default Domain GPO would be an idea place for this.
Second – Is this a setting that actually applies to all machines? This is actually important. There is absolutely no point in putting a setting that affects Windows 7 and higher in the Default Domain GPO if there are Windows XP machines on the domain. By doing so you force machines that can’t use the setting, or worse don’t even understand it, to waste time processing the setting.
Third – Is the setting one you have no intentions of trying to turn off for particular machines. Remember one thing about the Default Domain GPO – it is always at the top in order of precedence. Any setting made in it will always trump a competing setting and there is no way to change that. You really would not want to put a setting like “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” in the Default Domain GPO (I can say without a doubt that one in particular will cause untold grief in the Default Domain GPO).
The best practice for dealing with these two objects is to leave them as close to the ‘factory’ settings as possible. It is always a good idea to work with the settings you want that have the potential to be problematic in a separate GPO. That way, if the worst case scenario does come up, you can move affected machines or users to a recovery OU.