?
Solved

Windows 2012 Group Policy - Best Practises

Posted on 2016-09-18
3
Medium Priority
?
115 Views
Last Modified: 2016-09-26
Please share the best group policies which can be implemented with Windows 2012.
Iam going to have a Windows 2012 Domain Controller and grup policy needs to be implemented.

Basically looking for some of the main group policies which can be implemented for users.

Please advice
0
Comment
Question by:kurajesh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
Felicia King earned 1000 total points
ID: 41803687
First, implement central store.
Your PDC should be Windows 2012R2 at least. The download the GPO packs for everything that is relevant.
You always have to search for these by keyword because direct linking will likely never take you to the most current versions. And if you aren't using the most current versions, you will find settings missing.

Windows 10 https://www.microsoft.com/en-us/download/details.aspx?id=48257
Win 8 and Server 2012   https://www.microsoft.com/en-us/download/details.aspx?id=43413

You install all of the latest ADMX packs on your PDC. They install to a location inside of Program Files (x86).
Then you setup Central Store.
https://support.microsoft.com/en-us/kb/929841
https://support.microsoft.com/en-us/kb/3087759

Note that you will encounter a couple errors when opening GPMC.MSC afterwards.
ERRORS can be avoided by doing this reconciliation immediately after implementing central store.
Delete Microsoft-Windows-Geolocation-WLPAdm.admx and associated adml
Delete WinStoreui.admx and associated adml

https://support.microsoft.com/en-us/kb/3077013
https://www.404techsupport.com/2015/11/microsoft-policies-windowsstore-defined-updating-admx-central-store/


Ok, now that you have Central Store setup properly, follow some other basic rules.
- Always configure Windows Time service properly on domain controllers policy
- Configure Autosite coverage on domain controllers policy
- Configure Windows Firewall policy (1 for workstations, 1 for domain controllers, 1 for SQL servers, etc.)
- Only ever put computer config OR user config in one policy. Then disable the settings side that is not being used. This will help GPO process faster.
- Apply computer config policies to OUs that contain computer objects.
- Apply user config policies to OUs that contain user objects.
- Always configure security policy for workstations, member servers, domain controllers. There should be three separate policies.
- Enable auditing and event logs
- Enable proper password policies
- Specify screensaver timeout lock and power profile settings for end users and their computers. Power profile goes on the computers, and screensaver control panel settings go on users.

There is a lot more to it than this, but I think this will really get you setup with a proper foundation.
0
 
LVL 40

Expert Comment

by:footech
ID: 41803690
There's no such thing as the "best group policies".  What you decide to implement is completely dictated by the needs of your network and users.

The only settings that I would say I recommend for practically every network are the password requirements, such that you don't let users set simple short passwords, and that accounts are locked automatically if too many incorrect passwords (say, 10) are entered in a short period of time (30 min).  The accounts can auto-unlock after several minutes (15).
1
 
LVL 18

Assisted Solution

by:Emmanuel Adebayo
Emmanuel Adebayo earned 1000 total points
ID: 41804419
Hi,

For the best practice you have to take into consideration the following:
  - Minimal impact to the end user
  - Balance of security and lockdown goals
   - Minimal management overhead and complexity

For your case,

You have to determine the password complexity requirements just like Footech as mentioned. Other things to consider are

- The users profile, i.e Roaming or Mandatory or even local
- Do user's applications need access to the registry
- How is the printer going to be configure

Regards
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question