Windows Server 2016 Default Domain Policy Settings

Below you will see .htm reports of the Group Policy Management Console on a Windows Server 2016 Server immediately following a clean installation of Active Directory Domain Services.

Best practice in terms of GPO deployment, is to NEVER modify the default policies, unless absolutely necessary. It is rather recommended to create new policy’s to always augment this minimum policy rule-set. Read more about it here and here:

  • As a best practice, you should configure the Default Domain Policy GPO only to manage the default Account Policies settings, Password Policy, Account Lockout Policy, and Kerberos Policy“.
  • “As a best practice, you should configure the Default Domain Controllers Policy GPO only to set user rights and audit policies.”
  • “Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.”

If you find yourself in an AD environment where the Default Domain Policy has been heavily modified, and you need to get back to the what the original policy was, you can accomplish this by running the following commands:

dcgpofix /ignoreschema /target:Domain
dcgpofix /ignoreschema /target:DC

As always its a good idea to either document and/or backup the current GPOs.

Here are the Default Policies for review:

Default Domain Controllers Policy Default Domain Policy

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x