JustAnotherAdmin

Logo

This is my site for sharing back with the IT world.

View the Project on GitHub soccershoe/JustAnotherAdmin

14 February 2019

Default Domain Policy & Local Policy Sync

by This Guy

The Times When the Default Domain Policy and Local Security Policy Sync

I didn’t know this before. But it makes sense to me now. There are several password related settings that are synced between domain controllers, but these settings are in the Local Security Policy. Specifically it is the password related settings are synced, as stated by Microsoft, so “that the members of the domain have a consistent experience regardless of which domain controller they use to log on”.

Example_ Say you open up the Local Security Policy on a domain controller in your domain. Then go ahead and edit a password policy setting like the account lockout time or password length. The setting will update in the Local Security Policy on all the other domain controllers in your domain. The Local Security Policy isn’t so “local” for these password settings. On top of that, if you are auditing who’s writing to your GPO’s (you should be doing that or using AGPM), you’ll see that the “Default Domain Policy” is getting updated as well! Whoa!

alt text

The way I came across this was through a security project. To increase security, I blocked GPO inheritance on the ‘Domain Controllers’ OU. Who does that right?? There are some security issues when you allow GPO settings to flow down from the root of the domain. And especially if you aren’t logging or restricting who can write to your GPO’s. You don’t really want the same GPO linked to the domain root and the ‘Domain Controllers’ OU at the same time (maybe another post on another day). GPO’s can be a useful tool for bad actors who are trying to hide in your environment, if you aren’t looking.

Anyways… If your password settings in your ‘Default Domain Policy’ aren’t applied to your domain controller (blocked OU inheritance in my case), the settings may be different (if you changed the MS defaults). When you go and try to update the password policy in the GPO it’s not going to work and will show inconsistent behavior. I ended up confused for a while and banging my head on things.

alt text

I really couldn’t find any good Microsoft articles on this or guidance on blocking inheritance on the ‘Domain Controllers’ OU. These links are the best I could find for now.

https://support.microsoft.com/en-ca/help/259576/group-policy-application-rules-for-domain-controllers https://sdmsoftware.com/group-policy-blog/gp-troubleshooting/ghosts-in-the-gpo-machine-local-security-policy-changes-on-dcs/

tags:

comments powered by Disqus