Default Domain Controllers Policy

The second GPO that exists by default in even a fresh installation of Group Policy is the Default Domain Controllers (DCs) Policy. As the name implies, this policy is for your DC servers, and taking a look at the policy itself shows us that it is linked to only one location inside Active Directory, an OU called Domain Controllers. Only your DC servers end up inside the DCs OU, so settings in the Default Domain Controllers Policy only ever apply to DCs, but it is once again important to take into account that there are settings inside this policy and so they are applying to all of your DCs immediately upon creating the new domain.

The settings inside this GPO are fairly self-explanatory; it is a policy dedicated to keeping a baseline of security on the DC servers themselves. Settings here include things such as restrictions on who is allowed to log in to DCs, who is allowed to shut down DCs, and who is allowed to do other seemingly innocent tasks such as changing the system time. All of these functions are locked down by default to only certain users and groups of users being able to access them, namely those user accounts who are inside administrative containers and are therefore declared to be administrators:

Unless you have some experience here, it may seem silly that the ability to change the clock on a DC is locked down. However, all machines in the domain receive their time automatically from DCs, and if the computers in your domain fall out of time synchronization with each other, it can create an extremely broken environment. Time management is actually a really big deal within a domain!
上一章目录下一章