Forum Discussion

wbaumgardt's avatar
wbaumgardt
Copper Contributor
Jan 18, 2024

Question Regarding Server 2022 Domain & Controller MSCT baselines

I have a basic 'Newbie' question regarding the MSCT baselines.   I see the GPO for 'MSFT Windows Server 2022 - Domain Controller' and also 'MSFT Windows Server 2022 - Member Server'.  I just want to ...
compliance
security baseline
  • criiser's avatar
    criiser
    Copper Contributor
    Apr 08, 2024

    AaronMargosis_Tanium - Does the MSFT replace "Default Domain Controller Policy" aswell? If not, Should MSFT be higher linked than Default Domain Controller Policy?

    • AaronMargosis_Tanium's avatar
      AaronMargosis_Tanium
      Iron Contributor
      Apr 09, 2024

      criiser - the recommended policies in the Security Compliance Toolkit baselines should take precedence over the built-in default GPOs. 

    • katPedraza's avatar
      katPedraza
      Icon for Microsoft rankMicrosoft
      May 23, 2024
      No they do not replace the default domain controller policy. They are an enhancement to them. Take a look at the implementing security baselines on the premier/unified side of the hours. none of the settings should overlap the default domain controller policy, but you can verify that by utilizing the policy analyzer too.
      • AaronMargosis_Tanium's avatar
        AaronMargosis_Tanium
        Iron Contributor
        May 24, 2024

        katPedraza-- I think you're mistaken about that. The SCT's baselines for DCs have many settings that intentionally override the "Default Domain Controllers Policy" that ships in Windows and that is created automatically on DCs. Just as a couple of examples, the baselines' SeBackupPrivilege and SeRestorePrivilege user rights assignments intentionally override the default and grant the privilege only to Administrators.
        (Also, you accidentally marked criiser's question as the "Microsoft Verified Best Answer."))

Resources