The default domain policy is a powerful tool that allows you to set permissions for who can read and write to your domain. It’s important that you know what the default domain policy settings are before making any changes.
This blog post will cover the different options available, as well as some of the pros and cons of each one.
Who’s Included? This setting determines who has read/write capabilities to the default domain policy. There are five options, which is listed below in order of least restrictive to most restrictive and a brief description for each one.
Read-only – Users have read permission but cannot write anything back or make changes.
Write access – All users can change permissions using this option; however, it doesn’t always work as expected and should not be used on servers that store sensitive information because all settings will revert when the server restarts if you choose this option.
Administrators group only (i) – Selecting this option limits your ability to manage permission through Group Policy Editor by requiring administrator privileges at every level.