8.1. The Two Default Group Policy Objects

Whenever you create a new domain, three things automatically happen:

  • The initial (and only) OU, named Domain Controllers, is created automatically by the DCPROMO process.

  • A default GPO is created and linked to the domain level, called "Default Domain Policy."

  • A default GPO is created for the Domain Controllers OU, called "Default Domain Controllers Policy."

This section helps answer the question, Why are these GPOs different from all other GPOs?

These two GPOs are special. First, you cannot easily delete them (though you can rename them). Next, it's a best practice to modify these GPOs only for the security settings that we'll describe in this section. Too often, people will modify the "Default Domain ...

Get Group Policy: Fundamentals, Security, and Troubleshooting now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.