Understanding the GPO version number

How Core Group Policy Works

Eight Important Group Policies to Secure your Environment

1. Software Restriction policySoftware restriction policy is another critical Group Policy used to restrict the users from accessing any pre-installed or newly installed application. Using this policy you can restrict user to run a specific software on their desktops. Users would not be able to run the Software that would you restrict for them. It is important for the Organization where you don’t want users to use any unauthorized software on their desktops.

2. Disable USB portsUSB is one of the most common methods of connecting media devices like hard disks, pen drives and cameras to computers through USB ports. Most of the organizations are continuous under threat of stealing their critical data. Therefore, they want to disable USB ports to prevent copying of their confidential data or injecting of harmful viruses in their network. This is very important policy that Organizations are deploying to secure their environment.

3. Folder Redirection: Folder redirection is another important Group Policy to be deployed in Organizations. It can be used to redirect Domain User data to the network location. It not only helps in keeping track of user data but it also helps in taking backup of critical data. Some of the special folder redirection policies that can be deployed are Application Data, Desktop, My Documents, Picture, Start menu, etc.

4. Install software remotely: Install Software remotely is another critical Group Policy that most of the Organizations are using to automate the process of deploying Softwares using the single console. Using this GPO, you can deploy software packages e.g. MSI packages on all the Domain Computers. This prevents the manual intervention required to install Software packages on large number of Desktops and Laptops.

5. Item Level Targeting: Another critical Group Policy that can be used to target certain set of users. In item level targeting, we target the group policy to be deployed on the certain set of users. The Group policy is linked to an OU, but the policy is deployed only to the targeted users that are the members of the security group and not to the entire population. It is crucial for the environments in which you don’t want GPOs to be executed to certain set of users.

6. Hide Drives: Hide drives using group policy is very important requirement coming from many organizations, primarily from the Organizations who wants their environment to be secure. This policy allows us to remove or hide the hard drive icons from “my computer” and file explorer. Through this policy, we can only remove the icons of hard drives, but we still access it through different methods. In every organization, there is some important documents or file which are in particular drive but we want to restrict the users to access them, then this policy helps a lot to secure the organization documents.

7. Disable shutdown: Another critical Group Policy is to disable the icons of the Shutdown, Restart, Hibernate from the start menu. The only option left to the user regarding power options are logoff and switch user. After enabling this policy all the power options except logoff and switch user would be disabled from the start menu as well as from the Ctrl+Alt+Del option.

8. Password Policy: The most simple and easy technique of authenticating user’s identity is using a password. Users should always keep strong passwords for enhancing their security. A network is said secured only when all the users use strong passwords to prevent the security lapse. Sometimes, users keep passwords that are easy to guess or not change passwords frequently. It is a negligence in security.

To prevent all security issues related to user’s password, some password policies are pre-defined. These pre-defined group policies are configured in the GPO naming “Default Domain Policy”  and is linked with the domain. The path of password policy in GPME console is “Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy “. Here, settings are pre-defined with its default values but we can change these values as per our requirements.

  1. Enforce password history:                                      24 passwords
  2. Maximum password age:                                        42 days
  3. Minimum password age:                                         1 day
  4. Minimum password length:                                    7 characters
  5. Password must meet complexity requirements: Enabled
  6. Store passwords using reversible encryption:     Disabled

Enforce password history record last 24 unique passwords of the users so that they cannot repeat passwords frequently. This will enhance the security of user accounts and administrators can ensure that old passwords cannot be used continuously.

Maximum password age setting determines the time period in days that a single password can be used for. The default value of this policy is 42 days but we can set any value between 1 to 999 days. If we set the value to 0 then password will never expire.

Minimum password age setting determines the minimum age of the password. Users can change a password again only after this period. The default value of this policy is 1 day and we can set any value between 1 to 998 days. The minimum password age must be less than maximum password age.

Minimum password length setting determines the least number of characters that must contain in password set by users. The default value is 7 but we can change the value between 1 to 14 characters.

Password must meet complexity requirements setting determines that the password should meet minimum requirements like should have minimum 6 characters in length, should have both uppercase and lowercase alphabets and have special characters (!, @, #, $ etc).

Store passwords using reversible encryption determines whether the Operating System stores passwords using reversible encryption. By default it is disabled.

Windows Group Policy Management and Preferences

GP enables us to manage users and computers through Group Policy Management Console (GPMC). Group Policy Management console is an administrative tool that gets installed automatically when you promote a Domain Controller. However, you can also deploy Group Policy Management console on the client machine to manage GP remotely. You can edit group policy either by running the command “GPMC.MSC” or by clicking the icon of GPMC from a start menu.

Group Policy cannot be deployed on Groups

Don’t fall for the name, even when the name says Group Policy, the irony is that GP cannot be deployed on Groups. It can only be deployed on Users and Computers, to understand it better we’ll write an article on that. GP can be used to install software, define permissions, restrict permissions, change password settings, restrict software, etc.

Types of Group Policies

By default three types of GPs that gets created.

a) Local

It is used to deploy policies to local computers. It gets created automatically on all the machines irrespective or their roles i.e. Domain Controller, Member Server or Client machine. Command “gpedit.msc” is the local group policy editor which you can run on any Operating System i.e. Client OS or Server OS.

b) Domain

Group Policy Management can be done for Domain by linking it to the Domain and deploy settings, restrictions, etc to all the Domain users and Computers.

c) Domain Controller

Group Policy Management for Domain Controllers can be done by linking it with the Domain Controller’s OU. It is used to implement settings to all the Domain Controllers.

Group Policy Management

Group policy management would be done at various levels, it can vary depending on hierarchy of Organization or scope of settings. To remember the hierarchy of Group Policy processing, remember the word LSDOU. Let’s understand the hierarchy of GP in detail:

a) L = Local

Group Policy processing would start from the local computer. The Computer checks and implement all the policies defined locally on the computer. These are primarily for the computers which are not part of the domain but can also be used for the domain joined computers. It is the first policy that gets implemented.

b) S = Site

Site represents geographical disbursed locations. If you organization is large and it has users disbursed in multiple locations and requirement is to deploy settings to specific location then it can be achieved by deploying GP for site.

c) D = Domain

You can link the GP to the domain if you want to deploy policies to all the users or computers of that domain.

d) OU = Organizational Unit

OU is a container for all the objects. Linking GP with OU is the most preferred method of deploying policy. You can design OU structure as per your Organizational structure i.e. different OUs can be created for different roles or department. Moreover, you can create nested OUs and link GP with them. It is the last policy that gets implemented.




Group Policy Preferences

Group Policy Preferences are important to understand. Group Policy preferences define the priority assigned to the GP.

a) OU: It has the highest priority while comparing to others. In case of any conflicting situation, settings assigned to the OU would win over others.

b) Domain: Priority of settings linked with domain are less comparing to OU but are more comparing to Site.

c) Site: It comes third in terms of priority.

d) Local: It has least priority in terms of deploying settings.



Group Policy Preferences and Winning Group Policy

As we learned in the processing that Local GP gets implemented first and GP linked to OU gets implemented last. In addition to that we also learned in the Group Policy Preferences that settings linked with OU has highest priority versus settings linked to domain, site or local computer. Now the question is which GP would win in case of conflict. I’ll take a simple scenario to understand the Group Policy Preferences and winning policy.

a) Local: Let’s assume that we defined the setting of Disable Run for local computer. User would not be able to use run command by using these settings.

b) Site: Create and link the settings to Enable run for users

c) Domain: Create GP to Disable run for users and link it with Domain.

d) OU: Create another GP to Enable run for users and link it with OU.

In the above defined scenario, settings are conflicting and as we know that the Local group policy implement first and policy linked with OU deploys last. However, settings linked with OU has highest priority and settings linked with local computer has least priority.

Now the question is, “Which Policy would win in case of conflict?

The policy that deploys last would win i.e. Enable run settings we defined at the OU level would win and all the users would get the run. Simple way to remember this is to remember the sequence of policy or remember the Group Policy preferences. We already discussed that settings linked with OU has highest level of priority therefore Enable run would run and all the users would get run.

Don’t get confused because of enable and disable option. Some people get confused and think that the policy with restricted settings would always win. That is true but in separate situation, we gonna talk about that in the upcoming articles as that is different topic.


Local GP would implement first and settings linked with the OU would deploy last however policy linked with OU would have highest preference and policy linked with local computer has least preference.


Windows 2012 Group Policy Management and Preferences

Configure a Global Catalog in Server 2008 R2

Click Start, click Administrative Tools, and then click  on Active Directory Sites and Services.

2. In the details pane, right-click NTDS Settings and select Properties.

3. On the NTDS Settings Properties and select the Global Catalog check box and click OK.

Note : You can enable the global catalog role by using the command line.

1. Log on to a domain controller.

2. Click Start, and then click Command Prompt.


3. In the Command Prompt window, type the following command:


repadmin /options servername +IS_GC.


If in cause GC not available current DSA :none.




%d bloggers like this: