Default Domain Controllers Policy

Muffin` · 29 Mar 2011 at 10:43

Hi guys,

I need some help settling my mind, I'm in a new company and just going through the GPO's and I want to reset the Default Domain and Default Domain Controllers Policy’s back to their default state as there's some odd stuff in there. All this stuff added to the Domain Policy, Is it really going to be doing anything other than allowing random stuff to access the DC's? Has this all appeared because the domain has been raised from 03 to 08 R2? I'll be making a few backups before I reinstate them too!

Cheers

paradigm · 29 Mar 2011 at 11:52

Ours (2008 R2 domain, 2008 R2 domain functional level etc) is even more complex than the above, and has never been amended manually.

I would imagine that there could be some access for various service accounts/system administration apps (do you run SCCM/SMS/similar?), although the IUSR account seems a bit of an oddity? Was the domain ever based off SBS?

Muffin` · 29 Mar 2011 at 16:17

Not SBS but everything was on one box at one time. There's no SMS/SCCM now, not sure on what modifications if any have been made to the schema if at all yet.

I've found a QB about it and it looks to extend from incompatability from older versions of MS OS's. But with a full 08 R2 domain and W7 and Vista clients its should be good in the hood. But I'll leave it till I'm feeling adventerous.

Cheers

edscdk · 29 Mar 2011 at 16:24

be very very careful when you do this, make sure you can restore to the original settings incase some parts have been tweaked to make somethign work or resolve an issue...

personally I would work on fixing the issues (unless its all broken) i'd be too scared to reset everything.. i know our system would be trashed if you did that...

Muffin` · 29 Mar 2011 at 16:30

Aye you can make a full backup of all the GPO's and they can be reinstated easily. I just wondered if someone had seem something similar and just reset it all, but I'm not that much of a maverick so I'll leave it till I know the systems better.

Although every time someone edited the Default Policy’s the standard response is to just dcgpofix. Looking at that config if it wiped the ability for desktops to authenticate with the DC I think it'd come up shortly afterwards.

Baz · 30 Mar 2011 at 06:51

I would never alter the default policies.

Create a second one and alter that, saves a few headaches in the future.

K.C. Leblanc · 30 Mar 2011 at 11:05

paradigm said:
, although the IUSR account seems a bit of an oddity?

I think they're Sophos service accounts. Generally it creates a local account, but when installed on a DC it makes a domain one.

paradigm · 30 Mar 2011 at 11:21

K.C. Leblanc said:
I think they're Sophos service accounts. Generally it creates a local account, but when installed on a DC it makes a domain one.

Nah IUSR is an access account for IIS. Hence why I thought it odd to be part of a DC policy, and asked if it were ever SBS based (ie IIS on a DC).

Obviously Sophos (if installed) would have to create a domain account, there is no such thing as a "local" account on a DC, but it won't be an IUSR account.

K.C. Leblanc · 31 Mar 2011 at 14:01

paradigm said:
Nah IUSR is an access account for IIS. Hence why I thought it odd to be part of a DC policy, and asked if it were ever SBS based (ie IIS on a DC).

Obviously Sophos (if installed) would have to create a domain account, there is no such thing as a "local" account on a DC, but it won't be an IUSR account.

Ahhhh, Sophos are SAU.