8.1. The Two Default Group Policy Objects

Whenever you create a new domain, three things automatically happen:

  • The initial (and only) OU, named Domain Controllers, is created automatically by the DCPROMO process.

  • A default GPO is created and linked to the domain level, called "Default Domain Policy."

  • A default GPO is created for the Domain Controllers OU, called "Default Domain Controllers Policy."

This section helps answer the question, Why are these GPOs different from all other GPOs?

These two GPOs are special. First, you cannot easily delete them (though you can rename them). Next, it's a best practice to modify these GPOs only for the security settings that we'll describe in this section. Too often, people will modify the "Default Domain ...

Get Group Policy: Fundamentals, Security, and Troubleshooting now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.