Solved

Windows 2012 Group Policy - Best Practises

Posted on 2016-09-18
3
102 Views
Last Modified: 2016-09-26
Please share the best group policies which can be implemented with Windows 2012.
Iam going to have a Windows 2012 Domain Controller and grup policy needs to be implemented.

Basically looking for some of the main group policies which can be implemented for users.

Please advice
0
Comment
Question by:kurajesh
3 Comments
 
LVL 4

Accepted Solution

by:
Felicia King earned 250 total points
ID: 41803687
First, implement central store.
Your PDC should be Windows 2012R2 at least. The download the GPO packs for everything that is relevant.
You always have to search for these by keyword because direct linking will likely never take you to the most current versions. And if you aren't using the most current versions, you will find settings missing.

Windows 10 https://www.microsoft.com/en-us/download/details.aspx?id=48257
Win 8 and Server 2012   https://www.microsoft.com/en-us/download/details.aspx?id=43413

You install all of the latest ADMX packs on your PDC. They install to a location inside of Program Files (x86).
Then you setup Central Store.
https://support.microsoft.com/en-us/kb/929841
https://support.microsoft.com/en-us/kb/3087759

Note that you will encounter a couple errors when opening GPMC.MSC afterwards.
ERRORS can be avoided by doing this reconciliation immediately after implementing central store.
Delete Microsoft-Windows-Geolocation-WLPAdm.admx and associated adml
Delete WinStoreui.admx and associated adml

https://support.microsoft.com/en-us/kb/3077013
https://www.404techsupport.com/2015/11/microsoft-policies-windowsstore-defined-updating-admx-central-store/


Ok, now that you have Central Store setup properly, follow some other basic rules.
- Always configure Windows Time service properly on domain controllers policy
- Configure Autosite coverage on domain controllers policy
- Configure Windows Firewall policy (1 for workstations, 1 for domain controllers, 1 for SQL servers, etc.)
- Only ever put computer config OR user config in one policy. Then disable the settings side that is not being used. This will help GPO process faster.
- Apply computer config policies to OUs that contain computer objects.
- Apply user config policies to OUs that contain user objects.
- Always configure security policy for workstations, member servers, domain controllers. There should be three separate policies.
- Enable auditing and event logs
- Enable proper password policies
- Specify screensaver timeout lock and power profile settings for end users and their computers. Power profile goes on the computers, and screensaver control panel settings go on users.

There is a lot more to it than this, but I think this will really get you setup with a proper foundation.
0
 
LVL 39

Expert Comment

by:footech
ID: 41803690
There's no such thing as the "best group policies".  What you decide to implement is completely dictated by the needs of your network and users.

The only settings that I would say I recommend for practically every network are the password requirements, such that you don't let users set simple short passwords, and that accounts are locked automatically if too many incorrect passwords (say, 10) are entered in a short period of time (30 min).  The accounts can auto-unlock after several minutes (15).
1
 
LVL 17

Assisted Solution

by:Emmanuel Adebayo
Emmanuel Adebayo earned 250 total points
ID: 41804419
Hi,

For the best practice you have to take into consideration the following:
  - Minimal impact to the end user
  - Balance of security and lockdown goals
   - Minimal management overhead and complexity

For your case,

You have to determine the password complexity requirements just like Footech as mentioned. Other things to consider are

- The users profile, i.e Roaming or Mandatory or even local
- Do user's applications need access to the registry
- How is the printer going to be configure

Regards
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question