Menü
HomeKBGruppenrichtlinienGPO | Default Domain Policy (WS 2012 R2)

GPO | Default Domain Policy (WS 2012 R2)

The day came I wanted to reset the Default Domain Policy settings to their default values. Unfortunately there is no reset to default settings functionality in the Group Policy Management MMC. So the only option is to create a new domain by promoting a new domain controller and then check all values being set per default. Below are the settings I have gathered from a new Windows Server 2012 R2 instance:

In Short

Default Domain Policy
Computer Configuration > Policies > Windows Settings > Security Settings

  1. Account Policies > Password Policy > Enforce password history
    24 passwords remembered

  2. Account Policies > Password Policy > Maximum password age
    42 days
  3. Account Policies > Password Policy > Minimum password age
    1 days
  4. Account Policies > Password Policy > Minimum password length
    7 characters
  5. Account Policies > Password Policy > Password must meet complexity requirements
    Enabled
  6. Account Policies > Password Policy > Store passwords using reversible encryption
    Disabled
  7. Account Policies > Account Lockout Policy > Account lockout threshold
    0 invalid logon attempts

  8. Account Policies > Kerberos Policy > Enforce user logon restrictions
    Enabled

  9. Account Policies > Kerberos Policy > Enforce user logon restrictions
    Enabled
  10. Account Policies > Kerberos Policy > Maximum lifetime for service ticket
    600 minutes
  11. Account Policies > Kerberos Policy > Maximum lifetime for user ticket
    10 hours
  12. Account Policies > Kerberos Policy > Maximum lifetime for user ticket renewal
    7 days
  13. Account Policies > Kerberos Policy > Maximum tolerance for computer clock synchronization
    5 minutes
  14. Local Policies > Security Options > Network access: Allow anonymous SID/name translation
    Disabled
  15. Local Policies > Security Options > Network security: Do not store LAN Manager hash value on next password change
    Enabled
  16. Local Policies > Security Options > Network security: Force logoff when logon hours expire
    Disabled
  17. Local Policies > Security Options > Public Key Policies > Encrypting File System
    Issued To Administrator

In Detail

GPO Parameters

Default title: Default Domain Policy

Settings root: Computer Configuration > Policies > Windows Settings > Security Settings

Operating System: Windows Server 2012 R2

Policy Parameters

Account Policies > Password Policy
  • Enforce password history = 24 passwords remembered

    This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.

    This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.

    Default:

    24 on domain controllers.
    0 on stand-alone servers.

    Note: By default, member computers follow the configuration of their domain controllers.
    To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age.

  • Maximum password age = 42 days

    This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

    Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources.

    Default: 42.

  • Minimum password age = 1 days

    This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.

    The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.

    Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.

    Default:

    1 on domain controllers.
    0 on stand-alone servers.

    Note: By default, member computers follow the configuration of their domain controllers.

  • Minimum password length = 7 characters

    This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.

    Default:

    7 on domain controllers.
    0 on stand-alone servers.

    Note: By default, member computers follow the configuration of their domain controllers.

  • Password must meet complexity requirements = Enabled

    This security setting determines whether passwords must meet complexity requirements.

    If this policy is enabled, passwords must meet the following minimum requirements:

    Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
    Be at least six characters in length
    Contain characters from three of the following four categories:
    English uppercase characters (A through Z)
    English lowercase characters (a through z)
    Base 10 digits (0 through 9)
    Non-alphabetic characters (for example, !, $, #, %)
    Complexity requirements are enforced when passwords are changed or created.

    Default:

    Enabled on domain controllers.
    Disabled on stand-alone servers.

    Note: By default, member computers follow the configuration of their domain controllers.

  • Store passwords using reversible encryption = Disabled

    This security setting determines whether the operating system stores passwords using reversible encryption.

    This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.

    This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).

    Default: Disabled.

Account Policies > Account Lockout Policy
  • Account lockout threshold = 0 invalid logon attempts

    This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out.

    Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts.

    Default: 0.

Account Policies > Kerberos Policy
  • Enforce user logon restrictions = Enabled

    This security setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.

    Default: Enabled.

  • Maximum lifetime for service ticket = 600 minutes

    This security setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than 10 minutes and less than or equal to the setting for Maximum lifetime for user ticket.

    If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 Key Distribution Center (KDC). Once a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that is used to authenticate the connection expires during the connection.

    Default: 600 minutes (10 hours).

  • Maximum lifetime for user ticket = 10 hours

    This security setting determines the maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used.

    Default: 10 hours.

  • Maximum lifetime for user ticket renewal = 7 days

    This security setting determines the period of time (in days) during which a user's ticket-granting ticket (TGT) may be renewed.

    Default: 7 days.

  • Maximum tolerance for computer clock synchronization = 5 minutes

    This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller running Windows Server 2003 that provides Kerberos authentication.

    To prevent "replay attacks," Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both computers must be set to the same time and date. Because the clocks of two computers are often out of sync, administrators can use this policy to establish the maximum acceptable difference to Kerberos V5 between a client clock and domain controller clock. If the difference between a client clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two computers is considered to be authentic.

    Important

    This setting is not persistent on pre Vista platforms. If you configure this setting and then restart the computer, this setting reverts to the default value.

    Default: 5 minutes.

Local Policies > Security Options
  • Network access: Allow anonymous SID/name translation = Disabled

    This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user.

    If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects both the SID-to-name translation as well as the name-to-SID translation.

    If this policy setting is disabled, an anonymous user cannot request the SID attribute for another user.

    Default on workstations and member servers: Disabled.
    Default on domain controllers running Windows Server 2008 or later: Disabled.
    Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled.

  • Network security: Do not store LAN Manager hash value on next password change = Enabled

    This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.

    Default on Windows Vista and above: Enabled
    Default on Windows XP: Disabled.

    Important

    Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
    This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.

  • Network security: Force logoff when logon hours expire = Disabled

    This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component.

    When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire.

    If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired.

    Default: Enabled.

    Note: This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers.

Public Key Policies > Encrypting File System
  • Issued To Administrator
IT Service für amerikanische Unternehmen, Partner und Kunden in Deutschland IT Dienstleister in Deutschland IT Service für philippinische Unternehmen, Partner und Kunden in Deutschland IT Service für australische Unternehmen, Partner und Kunden in Deutschland
Zum Seitenanfang