What Group Policy settings MUST be set within the Default Domain Policy?
The settings you're looking for are enumerated in Group Policy application rules for domain controllers, insofar as how Domain Controller (DC) computers apply Group Policy Object (GPO) settings that are set at the domain level. You don't necessarily need to specify these settings in the "Default Domain Policy" (and, indeed, I would recommend not modifying the "Default Domain Policy"). Rather, the resultant set of these settings, based on the link order of the GPOs at the root of the domain, determines the effective setting the DCs will apply.
The settings include the following for all Active Directory DCs.
- Account Policies
- Security Options settings: "Automatically log off users when logon time expires", "Rename administrator account", and "Rename guest account".
Windows Server 2003-based DCs (and, presumably, Windows Server 2008 and 2008 R2-based DCs) will also apply the Security Options settings:
- Accounts: Administrator account status
- Accounts: Guest account status
- Accounts: Rename administrator account
- Accounts: Rename guest account
- Network security: Force logoff when logon hours expire