Group Policies

PRACTICE ! PRACTICE ! PRACTICE !

From the previous actions on the AD network, we've just organized or grouped different users and computers in different OUs but the main idea is to set different policies for each OUs individually

We can push different configurations and security baselines to users depending on their department

Windows manages such policies through Group Policy Objects (GPO)

  • GPOs is a collection of settings that can be applied to OUs, GPOs can contain policies for the users or computers, allowing you to set a baseline on specific machines and identities

Inorder to configure GPOs, we can use the Group Policy Management Application

The first thing we can notice is the complete OU hierarchy, as defined before, To configure Group Policies, we'll first have to create a GPO under Group Policy Objects and then link it to the GPO where you want the policies to applied

From the above we can notice that there are three GPOs namely

  • Default Domain Controllers Policy

  • Default Domain Policy

  • RDP Policy

Out of these the Default Domain Policy and the RDP Policy are linked to the THM.local domain as a whole !

  • Whereas the Default Domain Controllers Policy is linked only to the Domain Controller OU only

Since the Default Domain Policy is linked to the THM.local => Even the sub-OUs like Sales and Marketing will be affected by this Policy

What's Inside a GPO

  • Examining the Default Domain Policy, we notice theres something called scope which tells us that this GPO is linked to the AD - For the current policy, we can see that it has only been linked to the THM.local domain

We can also apply Security Filtering to GPOs so that they are only applied to specific users/computers under an OU

By default, they will apply to the Authenticated Users group, which includes all users/PCs

The Settings tab includes the actual contents of the GPO and lets us know what specific configurations it applies

  • As we know each GPO has configurations that apply to computers only and configurations that apply to users only. In this case, the Default Domain Policy only contains Computer Configurations and User Configurations are Enabled but no Settings are defined !

Since the Default Domain Policy GPO applies to the whole domain, any change to it would affect all computers

  • Let's change the minimum password length policy to require users to have at least 10 characters in their passwords => To do this, right-click the GPO and select Edit

  • Navigate to this location to change the minimum password length

Computer Configurations -> Policies -> Windows Setting -> Security Settings -> Account Policies -> Password Policy

GPO Distribution

GPOs are distributed to the network via a network share called SYSVOL, which is stored in the DC

  • All the users in a domain should typically have access to this share over the network to sync their GPOs periodically

  • Once a change has been made to any GPOs, we can force any particular computer to sync its GPOs immediately

PS C:\> gpupdate /force

Creating some GPOs for THM Inc

Okay let's perform some administration tasks !

  • Block non-IT users from accessing the Control Panel

  • Make workstations and servers lock their screen automatically after 5 minutes of user inactivity to avoid people leaving their sessions exposed

Restrict Access to Control Panel

  • We want to restrict access to the Control Panel across all machines to only the users that are part of the IT department

Users of other departments shouldn't be able to change the system's preferences

  • We can access the user configuration > Policies > Administrative Templates > Control Panel and enable the Prohibit Access to Control Panel and PC settings policy

  • Once the GPO is configured, we'll have to create a new GPO say Restrict Control Panel Access and link it to all of the OUs corresponding to users who shouldn't have access to the Control Panel of their PCs - which are Marketing, Sales and Management

Auto Screen Lock GPO

  • For this particular task, we don't have to apply it for specific users or any specific OUs instead we want all the OUs under the root domain to follow this policy - Since the Workstations, Servers and Domain Controllers OUs are all child OUs of the root domain, they will inherit its policies

  • Let's create a new GPO, call it Auto Lock Screen, and edit it

  • Successfully set the inactivity limit to 5 minutes (300 seconds) so that computers get locked automatically if any user leaves their session open

  • As we can see we've defined the Auto Lock Screen Policy under the root domain THM.local, now that we've updated these policies - Let's just force the update !

PS C:\> gpupdate /force
PreviousManaging AD ComputersNextAuthentication Methods

Last updated