Group Policy
From AlphaBook
Contents
Group Policy Object Features
- GPO Security Filtering - The settings in this GPO can only apply to the following groups, users, and computers:
- GPO Settings - A general report of the GPO
- WMI Filtering - For example apply to Windows 7 OS only
- Block Inheritance
- Enforced
- Link Order (The lowest link order, the highest priority)
Apply order
- Local policy -> Site group policy -> Domain group policy -> OU group policy -> Sub-OU group policy (highest priority)
Default Domain Policy
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy
- Enforce password history - 24 password remembered
- Maximum password age - 42 days
- Minium password age - 1 days
- Password must meet complexity requirements - Enabled
- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories
- Store passwords using reversible encryption - Disabled
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
- Account lockout threshold - 0 invalid logon attempts (Disabled)
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Kerberos Policy
- Maximum tolerance for computer clock synchronization - 5 minutes
- ... ...
Default Domain Controllers Policy
- Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies User Right Assignment
- Add workstation to domain - NT AUTHORITY\Authenticated Users
- ... ...
Customized group policy
- Password Policy
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minumum password age
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meeting complexity requirements
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption
- Account lockout Policy
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout policy\Account lockout duration
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout policy\Account lockout threshhold
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout policy\Reset account lockout counter after
- Interactive logon message
- Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon:Message text for users attermpting to log on
- Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon:Message title for users attermpting to log on
- System Services
- Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Offline Files (Automatic/Manual/Disabled)
- Enable Remote Desktop
- Computer Configuration\Polices\Administrative Templates\Windows Components\Remote Desktop Session Host\Connections\Allow users to connect remotely by using Remote Desktop Services
- Computer Configuration\Polices\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall : Allow inbound Remote Desktop exceptions
- Windows Firewall
- Computer Configuration\Polices\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
- Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Inbound Rules
- Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Outbound Rules
- Certificate
- Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Ahthorities
- Audit User Account Management (include user account lockout/Event ID 4740)
- Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Account Management\Audit User Account Management
- Windows Update
- Computer Configuration\Policies\Windows Settings\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location
- Computer Configuration\Policies\Windows Settings\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates (Auto download and notify for install)
- Registry
- Computer Configuration\Preferences\Windows Settings\Registry
- Network Shares
- Computer Configuration\Preferences\Windows Settings\Network Shares
- Local Users and Groups
- Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
- Desktop Wallpaper
- User Configuration\Policies\Administrative Templates\Desktop\Desktop Wallpaper
- Internet Explorer
- User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer
- ... ...