Default Security Through GPOs

The domain controllers are the key to ensuring your Active Directory is safe and secure. However, many aspects of your domain controllers may go unnoticed unless you are 100% aware what is happening behind the scenes. An important consideration is the point at which domain controllers receive many of their default security settings. You will recall that two default GPOs help configure the environment: the Default Domain Policy, targeted to the entire domain, and the Default Domain Controller Policy, targeted to the domain controllers. Finally, if you are upgrading from Windows NT to Windows 2000 or Server 2003, you will need to be aware of how the security is different on upgraded servers from those that are freshly installed.

Default Domain Policy

The GPO that is linked to the domain is primarily targeted to configure the domain user’s Account Policies. This includes the Password Policy, Account Lockout Policy, and Kerberos Policy. Figure 13-4 shows you the Default Domain Policy regarding the Account Policies.

Account Policies in the Default Domain Policy

Figure 13-4. Account Policies in the Default Domain Policy

The Default Domain Policy controls more than just the Account Policies. Table 13-2 lists the default settings in the Default Domain Policy.

Table 13-2. Default Domain Policy default configurations and values

Computer configuration

Policy setting

Value

Password Policy

Enforce password history ...

Get Securing Windows Server 2003 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.