Group Policy enables organizations to control a wide variety of activities across the IT environment. For example, you can use Group Policy to prevent the use of USB drives, run a certain script when the system starts up or shuts down, deploy software, or force a particular home page to open for every Active Directory user in the network.
This guide provides both general Group Policy best practices and recommendations for specific settings. It also offers guidance for troubleshooting issues with your Group Policy objects (GPOs).
Having a good OU structure makes it easier to apply and troubleshoot Group Policy. In particular, putting Active Directory users and computers in separate OUs makes it easier to apply computer policies to all computers and user policies to all users.
Note that the root Users and Computers folders in Active Directory are not OUs. If a new user or computer object appears in these folders, move it to the appropriate OU immediately.
To delegate permissions to specific users or groups, put those objects in an appropriate nested OU (sub OU) and link the GPO to it. For instance, within the Users OU, you might create a sub OU for each department and link GPOs to those sub OUs.
Being able to determine what a GPO does simply by looking at the name will make Group Policy administration much easier. For example, you might use the following prefixes:
Add a comment to each GPO explaining its purpose and settings. This will make your Group Policy more transparent and easier to maintain.
Several GPOs can apply to the same Active Directory object at the same time. They are applied in a specific order, and new settings override those set by previously applied GPOs. This order LSDOU, which stands for:
Align each GPO with a specific purpose, so it’s easier to manage them and understand inheritance. Here are some examples of tightly focused GPOs:
However, keep in mind that loading many small GPOs can require more time and processing at logon than having a few GPOs that each have more settings.
Any GPO set at the domain level will be applied to all Active Directory objects in the domain, which could lead to some settings being applied to inappropriate users and computers. The only GPO that should be set at the domain level is the Default Domain Policy.
Instead, apply GPOs at the OU level. A sub OU inherits the policies applied to its parent OU; you don’t need to link the policy to each sub OU. If you have users or computers that you don’t want to inherit a setting, put them in their own OU.
Blocking policy inheritance and policy enforcement make GPO management and troubleshooting much more difficult. Instead, strive for a well-designed OU structure that makes these settings unnecessary.
Disabling a GPO will keep it from being applied to any OU in the domain, which could cause problems. Therefore, if a GPO is linked to a particular OU where you don’t want it to be applied, delete the link instead of disabling the GPO. Deleting the link will not delete the GPO.
Administrators can explicitly deny a user or group the ability to be excluded from a specific GPO. While this functionality can be useful in certain scenarios, it can easily lead to unintended consequences because it will not be clear that a GPO is not being applied to certain objects. In order to find out which users or groups have been blocked; administrators would need to examine each GPO separately.
Changes to GPOs can have profound effects on security, productivity, compliance and more. Therefore, all changes should be planned and fully documented. In addition, you should track all changes to Group Policy and get alerted to critical changes. Unfortunately, both these goals are difficult with native tools: The security logs do not provide a record of exactly which settings were changed, and getting alerts requires PowerShell scripting. For a more comprehensive and convenient approach, invest in a third-party solution like Netwrix Auditor for Active Directory.
To learn more about how to track changes to Group Policy, see the Group Policy Auditing Quick Reference Guide.
If you have a GPO that has computer settings but no user settings, you should disable the User configuration for that GPO to speed GPO processing time.
In addition, be aware of the following additional factors that can cause slow startup and logon times:
WMI contains a huge number of classes with which you can describe almost any user and computer settings. However, using many WMI filters will slow down user logins and lead to a bad user experience. When possible, use security filters instead because they need less resources.
Loopback processing limits user settings to the computer that the GPO is applied to. A common use of loopback processing is when you need certain settings applied when users log into only particular terminal servers. You need to create a GPO, enable loopback processing, and apply the GPO to the OU that has the servers in it.
AGPM provides GPO editing with versioning and change tracking. It is part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance.
Configure daily or weekly backup of policies using Power Shell scripting or a third-party solution so that you can always restore them to a known good state.
The following best practices will help you configure your GPOs to ensure strong security and productivity.
The Default Domain Policy affects all users and computers in the domain, so it should be used for account, account lockout, password and Kerberos policy settings only.
Use the Default Domain Controller Policy for the User Rights Assignment Policy and Audit Policy only.
However, it is even better to use separate GPOs even for the policies listed above.
It’s important to limit access to the Control Panel on Windows machines. You can block all access to the Control Panel, or allow limited access to specific users using the following policies:
Removable media can be dangerous. If someone plugs an infected drive into your system, it unleash malware into the network. In addition, these drives are a path for data exfiltration.
You can disable the use of removable drives using the “Prevent installation of removable devices” policy. You can also disable the use of DVDs, CDs and even floppy drives if you want, though they present less risk.
Driver updates can cause serious problems for Windows users: They can cause Windows errors, performance drops, or even the dreaded blue screen of death (BSOD). Regular users can’t switch updates off since it’s an automated feature.
As an administrator, you can disable automatic driver updates using the “Turn off Windows Update device driver searching” Group Policy. You will need the hardware IDs of the devices, which you can find in Device Manager.
The command prompt is very useful for system administrators, but enabling users to run commands could harm your network. Therefore, it’s best to disable it for regular users. You can do that using the “Prevent access to the command prompt” policy.
If a user doesn’t turn off their computer when they leave work and their machine is forcibly rebooted by Windows Update, they can lose their unsaved files. You can use Group Policy to disable these forced restarts.
Keeping users from installing software on their machines helps prevent a host of problems. You can prevent software installation by changing the AppLocker and Software Restriction settings and disabling extensions like “.exe” from running.
The NTLM authentication protocol has a lot of vulnerabilities, including weak cryptography, so it is very vulnerable to attacks. Using Group Policy, you can disable NTLM authentication in your network and only the modern Kerberos protocol. However, first be sure to verify that no applications require NTLM authentication.
PowerShell is generally not needed by business users, and keeping them from using it can help prevent execution of malicious scripts. Using Group Policy, you can block the use of PowerShell on domain joined computers.
Admins who need to use PowerShell can be excluded from the policy. Alternatively, you can require them to run PowerShell scripts only on a designated machine for better security.
Guest accounts typically have limited access and functionality compared to regular user accounts, but they still pose important security risks. Disabling them using Group Policy helps prevent malicious users from gaining access to your environment.
Members of the Local Administrators group can install software, delete system files, modify security settings and much more. This elevated access increases the risk of malware infections, accidental data loss and deliberate data exfiltration, and system instability and performance issues.
Using Group Policy, you can remove unnecessary accounts from the Local Administrators group on all computers.
The Local Administrator account is a prime target for attackers because it provides privileged access on the machine. To reduce risk, it is a best practice to rename the Local Administrator account. In addition, use the account only when absolutely necessary; for routine tasks, use other administrative accounts with limited privileges.
By default, named pipes and shares can be accessed anonymously, which can enable malicious actors to access sensitive data, such as confidential files, system information and network security settings. Accordingly, it is a best practice to use Group Policy to enforce restrictions on anonymous access to named pipes and shares across the network.
Standards bodies like NIST offer guidelines for password policy settings that reduce your risk from password-based attacks and credential reuse. You can use Group Policy to apply these recommendations in your environment.
Keep in mind that while stringent requirements for factors like password length, complexity and password age theoretically increase security, it doesn’t always work that way in practice. Instead, such policies can lead users to adopt insecure workarounds like writing passwords down to avoid the hassle of account lockouts.
To get the full benefit of strong password policies, consider adopting a tool like Netwrix Password Secure, which will automatically create, store and enter credentials for users. That way, you can improve security by requiring passwords to be long, include special characters, be changed frequently and so on.
When anonymous SID enumeration is enabled, adversaries can gather information about user accounts and groups that is valuable in planning and executing cyberattacks. You can disable anonymous SID enumeration by modifying this registry setting:
Be sure to back up the registry before making any changes, and exercise caution when editing registry settings. Changes should be performed only by knowledgeable and authorized personnel.
You should ensure that the built-in antivirus and antimalware protection remains active on all Windows systems. Go to the following path in the Group Policy Editor:
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus
Configure the Group Policy setting "Turn off Windows Defender Antivirus" as Disabled.
Group Policy is an effective tool for detailed settings management within a Windows environment. However, challenges such as the proliferation of Group Policy Object (GPO), organizational changes due to mergers, acquisitions, divestitures, fluctuating staff levels, and forming new entities have made its management increasingly complex. Netwrix PolicyPak addresses these challenges by reducing GPO sprawl and streamlining the management process by merging multiple GPOs into fewer entities. This consolidation leads to improved login times, enhanced security, increased system reliability, and reduced configuration errors. Netwrix PolicyPak also enables administrators to deploy nearly 100% of Group Policy settings to Microsoft Intune without the added complexity of OMA-URI.
The following troubleshooting tips will help you investigate issues with Group Policy.