I am working on securing some domain controllers that needs to met the STIG standards. I noticed that there are certain GPOs that can only be changed through the default domain controller GPO. I was searching around for an offical list of what policies have to be changed through the default domain controller policy.
Also I noticed when I made some changes to some of the policies it didnt propagate to the domain controller (had to do it manually). Here are few I had to do manually:
remotedesktop: (set on local policy on dc)
admin templates > windows components > remote desktop services > remote desktop session host > printer redirection> redirect on the default client printer to enabled
admin templates > windows components > remote desktop services > remote desktop session host > removed "Disconnect" options from the shutdown dialog to enabled
admin templates > windows components > remote desktop services > remote desktop session host > device and resources redirect > do not allow smart card device redirection set to disable
admin templates > windows components > remote desktop services > remote desktop session host > device and resources redirect > do not all supported plug and play device redirection set to enable
admin templates > windows components > remote desktop services > remote desktop session host > device and resources redirect > dont allow LPT port redirection to enabled
admin templates > windows components > remote desktop services > remote desktop session host > device and resources redirect > Do not allow com port redirection to enabled
admin templates > windows components > remote desktop services > remote desktop session host > device and resources redirect > do not allow clipboard direction to enabled
I noticed that pretty much any of the the windows components didn't replicate to the domain controller and I ended up having to manually do those on the local machine (something I want to avoid as we will be adding other domain controllers).
I looked through the logs and I didn't see any errors when it came to the policies so I was hoping someone else might be able to shine some light on my issue.