Group Policy Configuration
Real-world business strategy for centralized security policy for users and computers.
Relevance
Last Review: March 12, 2020
Product(s): Windows Server 2019 or greater
Author(s): Kevin Fream
Delta
A cyberist created this article using the patented Delta Method by modernizing a typical approach.
Summary
Group Policy is rarely understood and often poorly implemented. Group Policy Objects (GPO) are centralized user and computer settings configured on a Windows Server Domain Controller for managing devices and user permissions.
Group Policy is assigned to Organizational Units (OU) for storing user and computer accounts by location, department, or function. A real-world business strategy is outlined below for both OU and GPO implementation.
Requirements
- Domain Admin credentials are required with documented Group Policy settings and Organizational Unit structure, as well as Active Directory backup prior to modifying any settings.
- A contingency plan to move user and computer objects to a different OU or remove a Group Policy is recommended for management approval, as well as an announcement to users for possible impact.
- Organizational Units are recommended for each location containing OU(s) for each department with user and computer accounts.
- Separate user and computer OU(s) increase Active Directory object path making logon processing longer and are unnecessarily redundant as group policies are only applied by computer or user.
- Separate OU often called "Resources" is recommended containing OU(s) by function for objects that are not appropriate for synchronization with Azure using AD Connect such as Disabled, Groups, Service Accounts, Servers, and Test.
- All Group Policies must be treated with caution and can cause unintended downtime for computers and users with hours to days to correct without previous testing.
- Default Domain Policy is designed for limited editing and account logon policy only, must be the only policy linked to the root of the Active Directory Domain, cannot be deleted, and should not be renamed.
- Default Domain Controller Policy is designed for limited editing, must be the only policy linked to Domain Controllers, cannot be deleted, and should not be renamed.
- Custom policies by Computer and User are Linked and Enforced to location OU for general policy inheritance and or individual department OU for security specific policies.
- New Group Policies recommended naming convention start with Computer or User and should be linked and tested against Test OU before linking to existing location or department OU(s).
- GPUPDATE /Force on a Domain Controller from a Command Prompt is recommended after each policy setting update to prevent propagation delay.
- GPUDATE /Force on a workstation run as an administrator from a Command Prompt or a restart will generally update group policy which may be confirmed using GPRESULT.
Create Organizational Units
- Log onto a domain controller, open Server Manager, and select Active Directory Computers and Users.
- Right-click the domain name and select New and Organizational Unit for each location and a resource OU.
- Right-click each location OU select New and Organizational Unit for each department.
- Right-click the resource OU select New and Organizational Unit for each resource such as Disabled, Groups, Services, Servers, and Test.
- New Computers joined to the domain must be moved from the built-in Computers OU to receive any custom computer group policy by location or department.
- New User accounts created often must be moved from the built-in Users OU to receive any custom user group policy by location or department.
| OU | Description |
|---|---|
| HQ | Headquarters |
| HQ\Accounting | Accounting users and computers |
| HQ\Executive | Executive users and computers |
| HQ\Marketing | Marketing users and computers |
| HQ\Sales | Sales users and computers |
| HQ\Support | Support users and computers |
| Resources | Resources not synchronized with Azure |
| Resources\Disabled | Disabled accounts |
| Resources\Groups | Active Directory Security Groups |
| Resources\Servers | Application/Member Servers |
| Resources\Services | Service and Administrator Accounts |
| Resources\Test | Policy testing for users or computers by OU |
Update Default Domain and Default Domain Controller Policies
- Log onto a domain controller, open Server Manager, and select Active Group Policy Management.
- Right-click the Default Domain Policy and select Save Report to have a copy to revert settings if needed.
- Right-click the Default Domain Controller Policy and select Save Report to have a copy to revert settings if needed.
- Right-click and select Edit with the recommended settings below for both Default Domain Policy and Default Domain Controller Policy.
- Select the Settings tab to review updated policy.
- Open a Command Prompt as an Administrator and enter the following command to immediately update Group Policy Objects: GPUPDATE /Force
Default Domain Policy
| Policy | Setting |
|---|---|
| Computer Configuration | |
| Policies | |
| Windows Settings | |
| Security Settings | |
| Account Policies/Password Policy | |
| Enforce password history | 24 |
| Maximum password age | 90 days |
| Minimum password age | 1 days |
| Minimum password length | 10 |
| Password must meet complexity requirements | Enabled |
| Store passwords using reversible encryption | Disabled |
| Account Policies/Account Lockout Policy | |
| Account lockout duration | 11 minutes |
| Account lockout threshold | 5 invalid logons |
| Reset account lockout counter after | 11 minutes |
| Account Policies/Kerberos | |
| Enforce user logon restrictions | Enabled |
| Maximum lifetime for service ticket | 600 minutes |
| Maximum lifetime for user ticket | 10 hours |
| Maximum lifetime for user ticket renewal | 7 days |
| Maximum tolerance for computer clock synchronization | 5 minutes |
| Interactive logon: Don’t display last signed in | Enabled |
| Interactive logon: Message text for users attempting to log on | See Logon Banner |
| Interactive logon: Message title for users attempting to log on | Legal Notice |
| Interactive logon: Prompt to change password before expiry | 3 days |
| Network access: Allow anonymous SID/Name translation | Disabled |
| Network security: Do not store LAN Manager hash value | Enabled |
| Network security: Force logoff when logon hours expire | Disabled |
Maximum password age default is 42 days. Minimum password length default is 7 characters. Account Lockout Policy default is 0. Interactive Logon settings are not configured by default and highly recommended for regular user acknowledgement of computer and security acceptable use policy.
Logon Banner
This private computer system including all files and uses is the property of Company and intended for authorized business use only. By using this system the user indicates awareness of and consents to monitoring and inspection of any uses of this system and all files on this system. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
Default Domain Controller Policy
| Policy | Setting |
|---|---|
| Computer Configuration | |
| Policies | |
| Windows Settings | |
| Security Settings | |
| Local Policies/Security Options | |
| Domain controller: LDAP server signing requirements | None |
| Domain member: Digitally sign secure channel data | Enabled |
| Microsoft Network Server | |
| Digitally sign communications (always) | Enabled |
| Digitally sign communications (if client agrees) | Enabled |
| Event Log</td> | |
| Maximum security log size | 20480 |
| Retain security log | 30 days |
| Retention method for security log | By days |
| Administrative Templates | |
| Windows Components/Event Log Service/Security | |
| Back up log automatically when full | Enabled |
| Specify the maximum log file size (KB) | 20480 |
Event Log and Administrative Templates are not configured by default.
User Folder Redirection
| Policy | Setting |
|---|---|
| User Configuration | |
| Policies | |
| Windows Settings | |
| Folder Redirection | |
| Setting: Basic (Redirect everyone’s folder to same location) | |
| Options: Move the contents of Documents to new location | |
| Documents \users\%username%\Documents | \\server\users |
| Favorites \users\%username%\Favorites | \\server\users |
| Music \users\%username%\Music | \\server\users |
| Pictures \users\%username%\Pictures | \\server\users |
| Videos \users\%username%\Videos | \\server\users |
Typical example user group policy for folder redirection.
Computer Firewall and Management
| Policy | Setting |
|---|---|
| Computer Configuration | |
| Policies | |
| Windows Settings | |
| Security Settings | |
| System Services | |
| Background Intelligent Transfer | Startup Mode Automatic |
| Remote Registry | Startup Mode Automatic |
| Remote Procedure Call | Startup Mode Automatic |
| Remote Desktop Services | Startup Mode Automatic |
| Windows Media Instrumentation | Startup Mode Automatic |
| Windows Remote Management | Startup Mode Automatic |
| Windows Defender Firewall Advanced Security | |
| Inbound Rules (Predefined options) |
Remote Event Log Management Remote Service Management |
| Administrative Templates | |
| Network/Network Connections | |
| Windows Defender Firewall/Domain Profile | |
| Protect all network connections | Enabled |
| Allow inbound file/printer sharing | Enabled, localsubnet |
| Allow ICMP exceptions | Enabled, Allow inbound echo |
| Define inbound port exceptions | 5985:TCP:localsubnet:enabled:WinRM |
| Allow inbound remote administration | Enabled, localsubnet |
| Allow inbound remote desktop services | Enabled, localsubnet |
| Windows Components | |
| Remote Desktop Services/RD Session Host | |
| Connections | |
| Allow users to connect using RDS | Enabled |
Typical example compute group policy for monitoring and management.
Follow-up and Testing
-
On a domain controller with corrupt or problem default policies, restore Default Domain Policy using Command Prompt running as an Administrator:
dcgpofix /ignoreschema /target:Domain -
On a domain controller with corrupt or problem default policies, restore Default Domain Controller Policy using Command Prompt running as an Administrator:
dcgpofix /ignoreschema /target:DC -
On a workstation, immediately refresh group policy from a Command Prompt running as an Administrator:
gpupdate /force -
On a workstation, the most common group policy issues are DNS/networking or firewall issues like IPV6 uninstalled or Windows Defender Firewall off. Group Policy may be verified from a Command Prompt run as an Administrator:
gpresult /r /scope computer /user domain\user
(/z may be used for detail settings and /f /h gpresult.html creates a file to view) - Help user for the first logon and answer questions or correct any unexpected problems.