Default Domain Policy

Grey

I've been searching all over for an exemplar default domain policy that's current with 2008 and 2012 domain controllers and found that one guy published a blog years ago with detailed info on the defaults, and it's been removed since. Does anyone have an unmodified default GPO that you're willing to paste up for the world to see? I don't want to set up a whole new server and roles, then delete it just to get the defaults out.

Incidentally, I'm doing this so I can compare the changes made to the existing one that I've inherited.

momurda

I wish i did. The default domain policy here and the default domain controller policy have been modified heavily, rather than making new ones and leaving them default. I have been slowly getting them back to default(i think) by making other policies linked to the same OUs with similar settings then changing the default ones back to Not Configured.

There is dcgpofix from MS. I have been too scared to use it as i am not sure if there is some arcane existing setting that would break things if reset.

dafyre

@momurda said in Default Domain Policy:

I wish i did. The default domain policy here and the default domain controller policy have been modified heavily, rather than making new ones and leaving them default. I have been slowly getting them back to default(i think) by making other policies linked to the same OUs with similar settings then changing the default ones back to Not Configured.

There is dcgpofix from MS. I have been too scared to use it as i am not sure if there is some arcane existing setting that would break things if reset.

I've got a 2016 server that's not doing anything. I could spin it up as an AD controller and get the defaults for that if you want.

momurda

Iam on 2012 AD Schema.

Grey

Yeah, I think we need to initiate a team effort or something to collect defaults for 2008, 2012, and 2016.

Grey

@momurda I would do that if I really, really had everything ready.
http://i.imgur.com/y7Hm9.jpg

Obsolesce

You can restore it with gpofix. Not sure if I'd go that route though.

You could always fire up a 2008 R2 VM and promote it to a test domain and export the GPO.

Emad R

let me see if I might help cause I use 2008 R2 SP1 as windows deployment role, and that for some reason requires AD, thus I have AD but I dont use it at all, so i never modify it.

dafyre

We should also come up with a standard way of exporting the GPO configurations (quit laughing, I've never had to do this before! lol).

coliver

@dafyre

Import-Module activedirectory
Import-Module grouppolicy
Add-Type -AssemblyName "System.IO.Compression.FileSystem";

#Variables
$Path = "" #Set to where ever you want the GPOs to be stored
$gpoarray = Get-GPO -all | select Id, DisplayName #Gets all GPOs and puts their ID and Displayname in an array
$Date = Get-Date -Format MM-dd-yy 

#Backup loop
foreach($guid in $gpoarray){
	$DisplayName = $guid.DisplayName
	$BackupPath = $Path + $Date + "\" + $DisplayName 
	if(Test-Path $BackupPath){}else{mkdir "$BackupPath"}
	Backup-GPO -Guid $guid.Id -Path "$BackupPath" #This will place the GPOs in a specific path for example C:\GPOs\11-2-15\Machine Policy...
	} #Create individual folders for each GPO

#Compression
[System.IO.Compression.ZipFile]::CreateFromDirectory("$Path$Date", "$Path$Date.zip");
Remove-Item $Path$Date -Force -Recurse

dafyre

@coliver I like it!

I'll try to get a 2016 Default GPO list up today.

dafyre

Server 2016 Default Policies located here:

https://github.com/dafyre/default_gpo_policies

Link updated to point to the GitHub Repo. No zip file to deal with now.

Obsolesce

@dafyre

You have a checksum for the zip file?

dafyre

@Tim_G said in Default Domain Policy:

@dafyre

You have a checksum for the zip file?

Posted.

Obsolesce

@dafyre
Perfect, thanks!

JaredBusch

@dafyre said in Default Domain Policy:

Server 2016 Default Policies located here:
http://france.wellston.biz/DefaultPolicies_Server2016.zip
MD5 Checksum: 708c92da241ae1c7163125d7cdf96299

Why not on a github or something?

dafyre

@JaredBusch said in Default Domain Policy:

@dafyre said in Default Domain Policy:

Server 2016 Default Policies located here:
http://france.wellston.biz/DefaultPolicies_Server2016.zip
MD5 Checksum: 708c92da241ae1c7163125d7cdf96299

Why not on a github or something?

Hindsight is 20/20, lol.

scottalanmiller

@dafyre said in Default Domain Policy:

@JaredBusch said in Default Domain Policy:

@dafyre said in Default Domain Policy:

Server 2016 Default Policies located here:
http://france.wellston.biz/DefaultPolicies_Server2016.zip
MD5 Checksum: 708c92da241ae1c7163125d7cdf96299

Why not on a github or something?

Hindsight is 20/20, lol.

Why not NOW though?

dafyre

@scottalanmiller said in Default Domain Policy:

@dafyre said in Default Domain Policy:

@JaredBusch said in Default Domain Policy:

@dafyre said in Default Domain Policy:

Server 2016 Default Policies located here:
http://france.wellston.biz/DefaultPolicies_Server2016.zip
MD5 Checksum: 708c92da241ae1c7163125d7cdf96299

Why not on a github or something?

Hindsight is 20/20, lol.

Why not NOW though?

Link fixed.

https://github.com/dafyre/default_gpo_policies/blob/master/DefaultPolicies_Server2016.zip

MD5 checksum is the same.

dbeato

@Tim_G Yeah, that is what I use (as last resort though)
https://technet.microsoft.com/en-us/itpro/powershell/windows/grouppolicy/restore-gpo
https://technet.microsoft.com/en-us/library/hh875588(v=ws.11).aspx