Revisiting and important question

A little while ago I posted about what is considered best practice with regards to the Default Domain Controller policies and Default Domain Policy.

At the time I was struggling to find some good examples to back up my post. However After some discussion internally some learned and  senior escalation engineers for Microsoft in the U.K. have  explained further the reasons why it is best advised NOT to unlink the Default Domain and the Default Domain Controllers Group Policy.

The summation the key points are below;

GUIDs for these policies are well known – the same in every AD domain and forest since we shipped Windows 2000.

Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}

DC GPO GUID {6AC1786C-016F-11D2-945F-00C04FB984F9}

The reason they are fixed is that internal API’s will have knowledge of what policy to update without having ascertain which ones are applying to the current Domain or Domain Controllers. Examples of these policies are LSA/SAM policy – the API’s allow in -memory (DS) policy, such as audit; privileges; password settings on a DC, to be set directly – the type of configuration information which you would normally expect to be read from Group Policy  at start up  and background refresh are examples of API’s that do this.

In order to keep LSA/SAM policy and Group Policy in sync there is a callback mechanism . When one is updated directly then the respective  Group Policy is updated too. if the Default Group Policies are unlinked then they will still be updated and replicated but obviously as they are not read again at startup by other DC’s  the policy change is not reflected on those boxes. Another example of direct use of those Well Known GUID’s  is  that  Adprep explicitly sets ACEs on them.Customers do unlink these policies and run without experiencing related issues .Or indeed what could could be happening is that  they do not  notice, as the difference may be quite subtle. For example some users may be prompted to change their passwords after 20 days instead of  30 days.Customers need to be aware that there is a risk associated with doing so. Potentially something may break as a consequence of unlinking these policies.

It is therefore advisable to as I stated in a previous post.

“If you must use a different Group Policy for your Domain Controllers simply modify the order in which the Policies are being processed by having the Default Domain Controllers Policy running at a lower priority and your customised Domain Controller Policy running at a higher priority.”