Group Policy is one of the most powerful tools in a Windows administrator's arsenal. It allows you to centrally manage security settings, software deployment, and user configurations across your entire Active Directory environment. This guide covers the essential GPO settings every admin should implement.
Password Policy Settings
Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
- Minimum password length: 12 characters (14+ recommended)
- Password complexity: Enabled (requires uppercase, lowercase, number, special character)
- Maximum password age: 90 days (or consider passwordless approaches)
- Minimum password age: 1 day (prevents rapid password cycling)
- Enforce password history: 24 passwords remembered
Account Lockout Policy
- Account lockout threshold: 5 invalid attempts
- Account lockout duration: 30 minutes
- Reset lockout counter after: 30 minutes
Audit Policy Configuration
Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration
# Enable via PowerShell
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Changes" /success:enable
auditpol /set /subcategory:"Policy Change" /success:enable /failure:enableUser Rights Assignment
- Allow log on locally: Restrict to Administrators and authorized users
- Deny log on through Remote Desktop: Add guest accounts and service accounts
- Access this computer from the network: Limit to necessary groups
- Shut down the system: Administrators only
Software Restriction Policies
# PowerShell - Configure AppLocker rules
New-AppLockerPolicy -RuleType Publisher -User Everyone -Allow
Set-AppLockerPolicy -PolicyObject $policy -Merge
# Block executables from user-writable locations
# Deny: %AppData%, %LocalAppData%, %Temp%, Downloads folderWindows Firewall GPO
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security
- Enable firewall for all profiles (Domain, Private, Public)
- Block inbound connections by default
- Allow outbound connections by default
- Create specific rules for required services
GPO Management Best Practices
# PowerShell GPO management
Import-Module GroupPolicy
# List all GPOs
Get-GPO -All | Select-Object DisplayName, GpoStatus
# Create new GPO
New-GPO -Name "Security Baseline" -Comment "Standard security settings"
# Link GPO to OU
New-GPOLink -Name "Security Baseline" -Target "OU=Workstations,DC=company,DC=com"
# Backup GPOs
Backup-GPO -All -Path "\\server\gpo-backups"
# Generate GPO report
Get-GPOReport -Name "Security Baseline" -ReportType HTML -Path "C:\Reports\SecurityBaseline.html"Security Baseline Checklist
- Implement strong password policies
- Configure account lockout thresholds
- Enable comprehensive audit logging
- Restrict local administrator access
- Block unauthorized software execution
- Configure Windows Firewall rules
- Disable unnecessary services
- Enable BitLocker drive encryption
- Configure Windows Update policies
- Implement LAPS for local admin passwords
Group Policy is your primary tool for maintaining a secure Windows environment at scale. Start with these essential settings, test thoroughly in a lab OU, and then deploy to production. Regular GPO reviews ensure your security baseline stays current.
