By: Brenton Blawat

What would seem like a quick reference item to find on Google, seems to have been lost in the billions of web pages. This article is intended as a quick reference to what the Default Domain Policies are for Windows Server 2003 SP2 and Windows Server 2008 R2. Please note that while some of the policies appear to be identical, the hierarchical structure behind the policies are different.

Default Domain Policies: Windows Server 2003 SP2

+ Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

- Enforce Password History = 24 Passwords

- Maximum Password Age = 42 Days

- Minimum Password Age = 1 Days

- Minimum Password Length = 7 Characters

- Password must meet complexity requirements = Enabled

- Store Passwords using reversible encryption = Disabled

+ Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy

- Account lockout threshold = 0 invalid logon attempts

+ Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy

- Enforce user logon restrictions = Enabled

- Maximum lifetime for service ticket = 600 minutes

- Maximum lifetime for user ticket = 10 hours

- Maximum lifetime for user ticket renewal = 7 days

- Maximum tolerance for computer clock synchronization = 5 minutes

+ Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

- Network Security: Force Logoff when logon hours expire = Disabled

+ Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System

- Administrator Issued File Recovery Certificate

+ User Settings > Windows Settings > Security Settings > Public Key Policies > Autoenrollment Settings

- Enroll Certificates Automatically

Default Domain Policies: Windows Server 2008 R2 64-bit

+ Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy

- Enforce Password History = 24 Passwords

- Maximum Password Age = 42 Days

- Minimum Password Age = 1 Days

- Minimum Password Length = 7 Characters

- Password must meet complexity requirements = Enabled

- Store Passwords using reversible encryption = Disabled

+ Computer Configuration > Policy > Windows Settings > Security Settings > Account Policies > Account Lockout Policy

- Account lockout threshold = 0 invalid logon attempts

+ Computer Configuration > Policy > Windows Settings > Security Settings > Account Policies > Kerberos Policy

- Enforce user logon restrictions = Enabled

- Maximum lifetime for service ticket = 600 minutes

- Maximum lifetime for user ticket = 10 hours

- Maximum lifetime for user ticket renewal = 7 days

- Maximum tolerance for computer clock synchronization = 5 minutes

+ Computer Configuration > Policy > Windows Settings > Security Settings > Local Policies > Security Options

- Network access: Allow anonymous SID/Name translation = Disabled

- Network security: Do not store LAN Manager hash value on next password change = Enabled

- Network Security: Force Logoff when logon hours expire = Disabled

+ Computer Configuration > Policy > Windows Settings > Security Settings > Public Key Policies > Encrypting File System

- Administrator Issued File Recovery Certificate

+ Computer Configuration > Policy > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

- Allow users to select new root certification authorities (CAs) to trust = Enable

- Client computers can trust the following certificate stores = Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

- To perform certificate-based authentication of users and computers, CAs must meet the criteria = Registered in Active Directory only

Default Domain Policy Differences: Windows Server 2003 / Windows Server 2008

Default Domain Policies added to Windows Server 2008

+ Computer Configuration > Policy > Windows Settings > Security Settings > Local Policies > Security Options

- Network access: Allow anonymous SID/Name translation = Disabled

- Network security: Do not store LAN Manager hash value on next password change = Enabled

+ Computer Configuration > Policy > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

- Allow users to select new root certification authorities (CAs) to trust = Enable

- Client computers can trust the following certificate stores = Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

- To perform certificate-based authentication of users and computers, CAs must meet the criteria = Registered in Active Directory only

Removed from Windows Server 2008

+ User Settings > Windows Settings > Security Settings > Public Key Policies > Autoenrollment Settings

- Autoenrollment Settings: Enroll Certificates Automatically

** NOTE: All re-productions / digital copies of this content must be approved in writing by an authorized representative of BIT Tangents.**