Loading...
 
Skip to main content

Group Policy Objects (GPOs) are virtual containers that hold a collection of settings, configurations, and security policies. They allow you to define how computers and user accounts should behave and operate. You can change or enforce specific computer and user settings. 

When we speak about GPOs, we might think of Active Directory. Active Directory is a directory service for Windows Network, used by companies which manage more than fifty computers. With Active Directory you can deploy GPOs to centrally configure users' Windows profiles. But the use of GPOS is not limited to AD. It is always possible to create a local policy in Workgroup mode with gpedit.msc.

When working in a Workgroup mode you can still manage GPOs by configuring them separately on each computer. In this scenario, each computer maintains its own GPO settings. This means that you'll need to configure GPOs separately on each computer in the workgroup.

In this scenario a policy will apply to all users using a given computer (including administrator). 

It is possible to not apply GPOs to the admin account since Vista. To do so, open mmc.exe. When adding the snap-in "Group Policy Object Editor" click browse, then users and limit the groups to which the object applies to non admin.

With the local group policy editor (gpedit.msc), you can customize your systems by enforcing computer or user policies. This is very valuable for locking down the users’ systems to prevent unwanted operations or to make sure all your computers inherit the exact same configuration. It’s good to take some time to browse the settings. Among the most useful settings we find features like: local account security, BitLocker, power management, Windows update, audit…

Here is an example of password security settings:

AD_4nXc19NRNLs9qfeZyJK9Nps5YWDgD6sWXe_87JV-BFnCDJf-ycbT3QFBaAsWL2DO45INgfBwhPnWcRhcfsn2_QZGqB9jBacGvUKj49_rKzjQOjKqJmUUJ-E0-FbT-7cQvANKJmLFaBi-btoHbu8Sh7FunviYt?key=ux0h2nH6GJscQLtxnrG3Eg

 

These are different kinds of settings.

  • Administrative Templates: Administrative Templates are preconfigured settings that control various aspects of the Windows operating system and applications. They allow administrators to enforce policies related to security, system settings, user interface, and more.
  • Security Settings: GPOs can enforce security policies to control password policies, account lockout settings, user rights, auditing, and other security-related configurations.
  • Software Installation: GPOs can be used to deploy and manage software installations across the network. Applications can be assigned or published to users or computers, allowing automated software deployment and updates.
  • Scripts: GPOs can execute startup, shutdown, logon, or logoff scripts to perform specific tasks or configurations on user or computer startup and shutdown.

GPOs usually apply after a system restart, but you can force an immediate update of Group Policy on a client computer by using the gpupdate /force command.

Once done, the configuration can easily be exported and copied over to other systems as well. But if you are not using a domain, you must do that manually.

To do so, on your model computer where you do the policy changes you have three things to do

  1. Backup/restore all your group policies
    To back up, copy everything inside "\System32\GroupPolicy".
    To make the changes on your target machine, restore the files copied previously, using a command like this:
    “xcopy "C:\Users\Admin\Desktop\GroupPolicy" "No value assigned\System32\GroupPolicy" /h /i /c /k /e /r /y”
    Run gpupdate /force (gpupdate forces the application of the policies without having to restart the system)
  2. Export/restore the security settings using secedit
    To export your security settings using Secedit run a command like this:
    Secedit /export /cfg C:\Users\Admin\Desktop\GroupPolicy\Security.csv
    To make the changes on your target machine, restore the files copied previously, using a command like this:
    secedit /configure /cfg "C:\Users\Admin\Desktop\Security.csv" /db defltbase.sdb /verbose
  3. If you have changed your audit policy, export/restore the audit settings using auditpol
    To export your audit settings using auditpol run a command like this:
    Auditpol /backup /file:C:\Users\Admin\Desktop\GroupPolicy\Audit.ini
    To make the changes on your target machine, restore the files copied previously, using a command like this:
    Auditpol /restore /file:C:\Users\Admin\Desktop\audit.ini

If you want to reset your local GPOs, run the following commands:

RD /S /Q "%WinDir%\System32\GroupPolicyUsers"

RD /S /Q "%WinDir%\System32\GroupPolicy"

gpupdate /force (gpupdate forces the application of the policies without having to restart the system

Note that in their Security Compliance Toolkit and Baselines, Microsoft provides admin with what they call the Security Baseline. This is a group of predefined Microsoft-recommended configuration settings that you can apply to all your systems. This is part of system hardening and will reinforce your system’s security. Read the documentation carefully, you may have to change a few default settings to avoid issues in your environment.

 

You might like to view this video

Browser Security

Contributors to this page: admin .
Page last modified on Wednesday October 9, 2024 11:55:53 GMT-0000 by admin.
Show PHP error messages