August 03, 2006, 3:10 PM — Send your Windows question to Mitch today! | See other Windows tips
Always leaving yourself an out is good advice when it comes to playing poker, and it's a good idea when it comes to managing Windows networks too. Group Policy is one place where it's easy to back yourself into a corner. There are literally thousands of policy settings you can configure, and if you accidentally configure the wrong setting in your Default Domain Policy, you might end up with hundreds of phone calls to your support desk asking for help. That's because any change you make to your Default Domain Policy automatically affects every user on your Windows network.
Messing around with your Default Domain Controllers Policy can be even more dangerous. Domain controllers are the heart of your network as they contain the Active Directory database and control all access to you network resources. That means making a mistake when editing your Default Domain Controllers Policy can have drastic results including users who suddenly can no longer log onto their machines or who are unable to access intranet websites, shared folder or network printers. Talk about impacting your business processes!
What can you do to prevent such scenarios from happening? Simple: never modify either your Default Domain Policy or Default Domain Controllers Policy. Instead, do the following: create two new Group Policy Objects (GPOs) to replace them. You might call the first your Company Domain Policy and the second Company Domain Controllers Policy, and link the first GPO to your domain container and the second to your Domain Controllers organizational unit. Then when you need to apply a particular policy setting to every user or computer in your domain, configure this setting in your Company Domain Policy. Similarly, when you need to configure a setting on all your domain controllers, edit your Company Domain Controllers Policy. This way, if you mess things up in either of these two policies, you can always disable them and fall back to your two default policies while you troubleshoot the problem.
But what if you've already made modifications to your Default Domain Policy or Default Domain Controllers Policy? In that case, you'll need to tread a little more carefully. First, you can copy the existing settings from your Default Domain Policy to a new GPO by doing the following: first, open the Group Policy Management Console (GPMC), right-click on your Default Domain Policy GPO, select Back Up and back up your policy to a folder on your domain controller. Next, create a new GPO named Company Domain Policy and make sure it's linked to the domain. Now right-click on your Company Domain Policy and select Import Settings and import the settings from the backed-up copy of your Default Domain Policy into your Company Domain Policy. Repeat these steps with your Default Domain Controllers Policy. The result is that you will now have duplicates or clones of both your Default Domain Policy and Default Domain Controllers Policy, these duplicates being Company Domain Policy and Company Domain Controllers Policy.
