Group Policy (Active Directory)
Revision as of 15:04, 5 August 2013 by Sstrutt (talk | contribs) (→Default Local Administrator: Updated)
Getting Started
- Start
mmc.exe - Go to File | Add/Remove Snap-in...
- Add the Group Policy Management
- Browse to Group Policy Objects
- Right-click and create a new GPO
By default group policies are refreshed by client machines every 90 mins, with a random offset of up to 30 mins in order to load balance. Additionally, Computer Configuration policies are refreshed at boot, and User Configuration polices are refreshed at login.
To refresh polices on the current machine
gpupdate
To see the results of the last refresh (open the created HTML file)
gpresult /H GPreport.html
Common Policy Paths
| Auditing (Event) logging | Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Audit Policy |
|---|---|
| Default Local Admin | Computer Configuration | Polices | Windows Settings | Security Settings | Restricted Groups |
| Password | Computer Configuration | Polices | Windows Settings | Security Settings | Account Polices | Password Policy |
| Power Options | Computer Configuration | Preferences | Control panel Settings | Power Options | Power Scheme |
| Proxy | User Configuration| Policies | Windows Settings | Internet Explorer Maintenance | Connection | Proxy Settings |
| Screen Saver | User Configuration | Polices | Administrative Templates | Control Panel | Personalization | Enable screen saver |
| Security Policy Options | Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Security Options |
Group Policy Object (GPO) Examples
Default Local Administrator
To give a particular domain security group, local admin rights over machines affected by the GPO
- Browse to
Computer Configuration | Polices | Windows Settings | Security Settings | Restricted Groups - Select Add Group...
- Locate the security group, and then add it to appropriate local group (eg
BUILTIN\Administrators)
To ensure the local admin account is enabled with correct password...
- Go to Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Security Options
- Set
Accounts: Administrator account statustoEnabled - Go to Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups
- Right-click over right hand pane and select New | Local User
- In the User name field select Administrator (built-in)
- Enter password, uncheck User must change password at next logon, check Password never expires
Internet Explorer
Proxy
In order to configure proxy settings, browse to...
User Configuration | Policies | Windows Settings | Internet Explorer Maintenance | Connection | Proxy Settings
This will still let users change the settings, to prevent this...
- Browse to
User Configuration| Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel - Enable the
Disable the Connections pagesetting
Favourites
In order to add pre-defined favourites to Internet Explorer...
- Browse to
User Configuration| Policies | Windows Settings | Internet Explorer Maintenance | URLs
- Right-click over
Favorites and Links
- Favourites can be added to the Favorites section
- Links (which appear in the Favorites bar above the webpage in IE, if viewable) can be added to the Links section
- Don't check Delete existing Favorites and Links, if present unless you're sure users won't have their own links there already