[gptalk] Re: Default Domain Policy

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 30 Jan 2007 08:04:16 +1100



Take the "Interactive Logon Message" out of the Default Domain Policy and
put it into a second policy called "Interactive Logon Message", then put the
DENY filtering on that policy. It is a bit more overhead (everyone now has
to process two policies) but it is more intuitive and you don't have to
remember that whenever you modify the Default Domain Policy, you also have
to modify the other policy. I also dislike putting security filtering on the
Default Domain Policy, again because people may get accidentally added to
the group.


Note: The default domain policy is normally "Enforced" but you could remove
that if you wanted to and then have a policy that resets the message to
blank for just the machines you want. The enforcement is really used to stop
OU administrators from overwriting your Default Domain Policy. If you
control all of the policies (and are careful) then enforcement is not really


Alan Cuthbertson



 Policy Management Software:-



ADM Template Editor:-



Policy Log Reporter(Free)






From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, 30 January 2007 5:06 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain Policy



If the Default Domain Policy is enforced, that's going to prevent you from
having another GPO, linked higher at the domain level, from having an
effect. I think your best bet is to use security group filtering to deny
Apply Group Policy to the group containing your special computers, and then
adding a  new GPO that is a copy of the Default Domain Policy with an allow
for that special group. At that point, you could link it closer to the
machines instead of having to link it at the domain level.




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tappmeyer, Stephen [GCG-NAOT]
Sent: Monday, January 29, 2007 9:48 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Default Domain Policy


In my default domain policy, I have defined an "Interactive logon: Message
text for users attempting to log on" and an "Interactive logon: Message
title for users attempting to log on".


This is working correctly, but I have been asked to provide an exception for
a few workstations to allow for an auto logon to those workstations with a
specific account. (Currently the message must be acknowledged.)


I believe that since this is the default domain that is enforced, I cannot
provided an exception unless I link another GPO to the root and ensure that
the link order lists this new GPO above the default domain policy.
(Security Filtering would be to a specific group to which machine accounts
would be added for the exception.)


What is the impact of adding this exception to after the Default Domain?


Are there any other options?







Other related posts: