What Group Policy settings MUST be set within the Default Domain Policy?

group-policy

The settings you're looking for are enumerated in Group Policy application rules for domain controllers, insofar as how Domain Controller (DC) computers apply Group Policy Object (GPO) settings that are set at the domain level. You don't necessarily need to specify these settings in the "Default Domain Policy" (and, indeed, I would recommend not modifying the "Default Domain Policy"). Rather, the resultant set of these settings, based on the link order of the GPOs at the root of the domain, determines the effective setting the DCs will apply.

The settings include the following for all Active Directory DCs.

  • Account Policies
  • Security Options settings: "Automatically log off users when logon time expires", "Rename administrator account", and "Rename guest account".

Windows Server 2003-based DCs (and, presumably, Windows Server 2008 and 2008 R2-based DCs) will also apply the Security Options settings:

  • Accounts: Administrator account status
  • Accounts: Guest account status
  • Accounts: Rename administrator account
  • Accounts: Rename guest account
  • Network security: Force logoff when logon hours expire

Related

Why VPN when I can just use SSH keys?
how to check connectivity to server by windows tools?
Why does chef list my node name as "localhost"?
How do I Increase the log level of Fetchmail?
kvm low io performance
SAN or NAS 100-200TB - where to start looking? [closed]
SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
CentOS disable filesystem check: superblock last mount time is in the future
Unable to receive any emails using postfix, dovecot, mysql, and virtual domain/mailboxes
Why can't I navigate Active Directory within Powershell?
How to block not defined server_name in Nginx?
grow/shrink a zfs RAIDZ