Hello, I've recently posted a question with the title "Kerberos issue after upgrading DCs to W2K8r2" to the "Directory Services" forum (please see that posting for background detail on this issue). Their recommendation was to implement a new GPO linked to the Default Domain Controller Policy but filtered to apply just to the DC configured against the CAS service that requires DES encryption. I have no problem creating the GPO itself. My questions are the following. 1) Is creating a new GPO linked against the "Domain Controllers OU" for this domain but filtered to apply only to the single DC in question an acceptable solution to this problem from your point of view. I don't want to create more problems by using a poorly thought out solution. 2) Can I filter for that single DC by simply adding it's machine account name to the Security Filtering section of the new GPO or should I - create a special group, add that DC to that group and filter using that group value in the Security Filtering section in the new GPO. And I also assume that since this GPO will only have a single "computer configuration" setting enabled, that no User references (authenticated user, domain users, etc) should be added to the filtering section since this GPO is applied at the computer [machine-2-machine] level only. 3) Since GPOs automatically take effect (are re-read) after a period of time. I don't need to reboot the affected DC to enable this unless I want it to take effect immediately. And that this statement is as true for DCs as for other domain machines. I hope these questions are understandable; if not, please let me know and I'll attempt to clarify. Thanks for your comments.Bill

Hi Bill, In this situation, it’s OK to create a new GPO, link to the Domain Controllers OU and filter to only apply to the DC in question. In Security Filtering section, please understand the Authenticated Users group includes both users and computers. So, we must remove the Authenticated Users group from the Security Filtering section first, then add the single DC. As there is only one DC to add, you can add the machine name of this DC directly. Meanwhile, some of the polices in Security Settings do not need a reboot to take effect. It will take effect in the next refresh of settings or running "gpupdate /force" command. I have tested the policy [Network security: Configure encryption types allowed for Kerberos] and it took effect after the refresh of the settings. Hope this helps. Regards, Bruce Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Bruce, sorry for the delay. I read your answer earlier but didn't get a chance to respond back at that time. Thanks very much for your advice above...!!! It was timely, clear, and very useful. I appreciate the support these forums offer us because of support staff like you. Hope you have a wonderful day. Bill

Hi Bill, Glad to hear the information we provided was useful. Welcome to post in our forum again if you meet any difficulties or questions in using Microsoft products. Thanks and have a nice day. Regards, Bruce