Solved

Windows 2012 Group Policy - Best Practises

Posted on 2016-09-18
3
97 Views
Last Modified: 2016-09-26
Please share the best group policies which can be implemented with Windows 2012.
Iam going to have a Windows 2012 Domain Controller and grup policy needs to be implemented.

Basically looking for some of the main group policies which can be implemented for users.

Please advice
0
Comment
Question by:kurajesh
3 Comments
 
LVL 4

Accepted Solution

by:
Felicia King earned 250 total points
ID: 41803687
First, implement central store.
Your PDC should be Windows 2012R2 at least. The download the GPO packs for everything that is relevant.
You always have to search for these by keyword because direct linking will likely never take you to the most current versions. And if you aren't using the most current versions, you will find settings missing.

Windows 10 https://www.microsoft.com/en-us/download/details.aspx?id=48257
Win 8 and Server 2012   https://www.microsoft.com/en-us/download/details.aspx?id=43413

You install all of the latest ADMX packs on your PDC. They install to a location inside of Program Files (x86).
Then you setup Central Store.
https://support.microsoft.com/en-us/kb/929841
https://support.microsoft.com/en-us/kb/3087759

Note that you will encounter a couple errors when opening GPMC.MSC afterwards.
ERRORS can be avoided by doing this reconciliation immediately after implementing central store.
Delete Microsoft-Windows-Geolocation-WLPAdm.admx and associated adml
Delete WinStoreui.admx and associated adml

https://support.microsoft.com/en-us/kb/3077013
https://www.404techsupport.com/2015/11/microsoft-policies-windowsstore-defined-updating-admx-central-store/


Ok, now that you have Central Store setup properly, follow some other basic rules.
- Always configure Windows Time service properly on domain controllers policy
- Configure Autosite coverage on domain controllers policy
- Configure Windows Firewall policy (1 for workstations, 1 for domain controllers, 1 for SQL servers, etc.)
- Only ever put computer config OR user config in one policy. Then disable the settings side that is not being used. This will help GPO process faster.
- Apply computer config policies to OUs that contain computer objects.
- Apply user config policies to OUs that contain user objects.
- Always configure security policy for workstations, member servers, domain controllers. There should be three separate policies.
- Enable auditing and event logs
- Enable proper password policies
- Specify screensaver timeout lock and power profile settings for end users and their computers. Power profile goes on the computers, and screensaver control panel settings go on users.

There is a lot more to it than this, but I think this will really get you setup with a proper foundation.
0
 
LVL 39

Expert Comment

by:footech
ID: 41803690
There's no such thing as the "best group policies".  What you decide to implement is completely dictated by the needs of your network and users.

The only settings that I would say I recommend for practically every network are the password requirements, such that you don't let users set simple short passwords, and that accounts are locked automatically if too many incorrect passwords (say, 10) are entered in a short period of time (30 min).  The accounts can auto-unlock after several minutes (15).
1
 
LVL 17

Assisted Solution

by:Emmanuel Adebayo
Emmanuel Adebayo earned 250 total points
ID: 41804419
Hi,

For the best practice you have to take into consideration the following:
  - Minimal impact to the end user
  - Balance of security and lockdown goals
   - Minimal management overhead and complexity

For your case,

You have to determine the password complexity requirements just like Footech as mentioned. Other things to consider are

- The users profile, i.e Roaming or Mandatory or even local
- Do user's applications need access to the registry
- How is the printer going to be configure

Regards
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now