Chapter 4: Strengthening Domain and Domain Controller Policy Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

Active Directory in Windows Server 2003 contains default security policy settings for the domain and for domain controllers in the form of Group Policy objects (GPOs). These settings are configured by default when Active Directory is installed, and they are applied to all new domains.


Default Group Policy settings do not overwrite existing Windows 2000 settings. Existing Windows 2000 Group Policy settings are maintained when you:

  • Install Active Directory on a server that is running Windows Server 2003 in an existing Windows 2000 domain.

  • Upgrade a domain controller that is running Windows 2000 to Windows Server 2003.

Default Domain and Domain Controller GPOs

In a new Windows Server 2003 domain, the following default GPOs protect the domain and all domain controllers:

  • Default Domain Policy, which is linked to the domain object and affects all users and computers in the domain (including computers that are domain controllers) through policy inheritance.

  • Default Domain Controllers Policy, which is linked to the Domain Controllers OU. This policy generally affects only domain controllers, because by default, computer accounts for domain controllers are kept in the Domain Controllers OU.

You can manage security-specific policies in the Default Domain Policy GPO and in the Default Domain Controllers Policy GPO by using the administrative tools Domain Security Policy and Domain Controller Security Policy, respectively. Security policy settings are organized into the following categories:

  • Account Policies, which include:

    • Password Policy: Controls password enforcement and lifetimes on domain accounts.

    • Account Lockout Policy: Determines the circumstances and length of time that an account will be locked out of the system.

    • Kerberos Policy: Determines Kerberos-related settings, such as ticket lifetimes and enforcement.

  • Local Policies, which include:

    • Audit Policy: Tracks system security events on computers.

    • User Rights Assignment: Controls user and administrative actions on computers.

    • Security Options: Affects Active Directory, network, file system, and user logon abilities.

  • Event Log Policy: Defines attributes that are related to the application, security, and system event logs

Strengthening Security Policy Settings

In most cases, default Windows Server 2003 settings are effective in securing domains and domain controllers against various types of threats. However, some default settings can be strengthened to improve the level of protection. In addition to security policies, Active Directory data is protected by default auditing settings on key directory objects. For most settings, changes to default policy are best made to the default GPOs. In cases where new GPOs can be generated without affecting the operation of the default GPOs, this process is recommended and described. For more information about applying security policy settings, see Applying Selected Domain and Domain Controller Policy Settings later in this guide.

Default and recommended changes for strengthening security policy and directory object auditing are presented in the following categories:

  • Domain Security Policy settings

  • Domain Controller Security Policy settings

In the following sections, default and recommended settings are presented for key settings in each category, even if no changes to default settings are recommended. Security policy settings that require no change are also presented as a means of describing the key security policy settings that are in place by default on Windows Server 2003 domains and domain controllers.

Applying Security Policy Settings

Where a security policy setting is applied depends on if it is defined in the Default Domain Policy GPO and inherited from the domain level to the OU level or if it is defined in the Default Domain Controller Policy GPO. Policy settings that are applied at the OU level override policy settings at the domain level. In this way, security policy settings that are specific to domain controllers, but not to all users, groups, and computers in the domain, can be set at the Domain Controllers OU level. For this reason, certain policy settings are discussed in this chapter in relation to the domain and other policy settings are discussed in relation to domain controllers.

When you apply security option settings to affect the Domain Controllers OU, some settings are best applied by adding them to a new GPO, while other settings require application directly to the Default Domain Controllers Policy GPO. Requirements and recommendations for these settings are provided in Applying Selected Domain and Domain Controller Policy Settings later in this guide.

Auditing Important Active Directory Objects

In addition to Domain Controller Security auditing settings (Audit Policy), auditing settings are essential for tracking access to Active Directory objects themselves. For this reason, auditing is enabled by default on the topmost object in each directory partition in Active Directory — the domain, schema, and configuration directory partitions — as well as on certain key configuration objects.

Most auditing settings that are recommended for Windows 2000 Server deployments are set by default on important Active Directory objects in Windows Server 2003. These settings are described in Reviewing Audit Settings on Important Active Directory Objects later in this guide.