To define or not to define that is the question

[blemoine]

i have an auditor who wants me to define every setting in the Domain Controller Security policy and in the Domain security policy. Is this really necessary? what would be a reason why you wouldn't define every single setting? I have things defined but just not every last one. i always thought you only defined policy settings that you need to define and not do it just to do it.

 

[coupland]

Yeah, I've found people who do audit generally do so because it doesn't require any technical skill whatsoever, nor does it require working nights and weekends to actually *implement* the crazy requirements they drop in people's laps. It's a wonderful way to make a living, if you can get it. Obviously setting policies simply for the sake of it will increase replication traffic and login times, particularly over slow links. For example, I know of one banking customer who defines hundreds of group policies and have no DC at their local branches, and login times are about 20 minutes. Where a group policy is explicitly defining settings that can be changed by the client it can be useful, but if it's simply redundant there's no point and the auditor should be challenged to provide supporting documentation.