Examples of such abuse include modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.
Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. With sufficient permissions, adversaries can modify domain policy settings. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. Note: By default this command will not run if the version of the OS does not match that of the Schema version in AD.Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Monitor your systems for any adverse affect and make sure that you have another backup of the GPO’s for future reference. You will notice any changes to the GPO have now been removed or reverted back to the default settings. The command to restore the GPO’s to default is as simple as running the “DCGPOFIX.exe” from a command line and press “Y” twice when prompted. Go on… Its not going to hurt and this will at least give you something to roll back if you need to in the future. TIP: Even if you are not going to run this command I would still make of these Default Domain GPO’s now… right now…. Therefore make sure you have a current back of your default domain so you can easily undo this change if needed (see below). NOTE: Even though we are restoring the default domain GPO’s back to a default setting doing so may still cause more issues.
Edit domain group policy windows#
Well the tool that allows you to do this is called DCGPOFIX and it can be found on any Windows Server 2003 or later windows server.
Of course you have a backup of the GPO’s which are good and you simply restore them….īUT... You have never backed up the default GPO’s and you need to reset the setting…. So... Lets assume you have done everything wrong and either the Default Domain and/or the Default Domain Controller Group Policy objects have been modified and you want to reset them back. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies. On the Group Policy Object Editor window, expand Computer Configuration>Windows Settings>Security Settings. TechNet: Establishing Group Policy Operational Guidelinesĭo not modify the default domain policy or default domain controller policy unless necessary. Right click the Default Domain Policy and click Edit.
Edit domain group policy how to#
The only exception I would make to this rule is when you want to modify the default domain password policy but even then you can create a new password policy GPO linked at the domain level (See Tutorial: How to setup Default and Fine Grain Password Policy )Įven if you don’t want to take my word for it here is a reference on the TechNet web site say pretty much the same thing… If you have ever read my Best Practice for Group Policy blog post then you will know that I encourage you to edit the default domain GPO’s sparingly.