Solved

Windows 2012 Group Policy - Best Practises

Posted on 2016-09-18
3
90 Views
Last Modified: 2016-09-26
Please share the best group policies which can be implemented with Windows 2012.
Iam going to have a Windows 2012 Domain Controller and grup policy needs to be implemented.

Basically looking for some of the main group policies which can be implemented for users.

Please advice
0
Comment
Question by:kurajesh
3 Comments
 
LVL 4

Accepted Solution

by:
Felicia King earned 250 total points
ID: 41803687
First, implement central store.
Your PDC should be Windows 2012R2 at least. The download the GPO packs for everything that is relevant.
You always have to search for these by keyword because direct linking will likely never take you to the most current versions. And if you aren't using the most current versions, you will find settings missing.

Windows 10 https://www.microsoft.com/en-us/download/details.aspx?id=48257
Win 8 and Server 2012   https://www.microsoft.com/en-us/download/details.aspx?id=43413

You install all of the latest ADMX packs on your PDC. They install to a location inside of Program Files (x86).
Then you setup Central Store.
https://support.microsoft.com/en-us/kb/929841
https://support.microsoft.com/en-us/kb/3087759

Note that you will encounter a couple errors when opening GPMC.MSC afterwards.
ERRORS can be avoided by doing this reconciliation immediately after implementing central store.
Delete Microsoft-Windows-Geolocation-WLPAdm.admx and associated adml
Delete WinStoreui.admx and associated adml

https://support.microsoft.com/en-us/kb/3077013
https://www.404techsupport.com/2015/11/microsoft-policies-windowsstore-defined-updating-admx-central-store/


Ok, now that you have Central Store setup properly, follow some other basic rules.
- Always configure Windows Time service properly on domain controllers policy
- Configure Autosite coverage on domain controllers policy
- Configure Windows Firewall policy (1 for workstations, 1 for domain controllers, 1 for SQL servers, etc.)
- Only ever put computer config OR user config in one policy. Then disable the settings side that is not being used. This will help GPO process faster.
- Apply computer config policies to OUs that contain computer objects.
- Apply user config policies to OUs that contain user objects.
- Always configure security policy for workstations, member servers, domain controllers. There should be three separate policies.
- Enable auditing and event logs
- Enable proper password policies
- Specify screensaver timeout lock and power profile settings for end users and their computers. Power profile goes on the computers, and screensaver control panel settings go on users.

There is a lot more to it than this, but I think this will really get you setup with a proper foundation.
0
 
LVL 39

Expert Comment

by:footech
ID: 41803690
There's no such thing as the "best group policies".  What you decide to implement is completely dictated by the needs of your network and users.

The only settings that I would say I recommend for practically every network are the password requirements, such that you don't let users set simple short passwords, and that accounts are locked automatically if too many incorrect passwords (say, 10) are entered in a short period of time (30 min).  The accounts can auto-unlock after several minutes (15).
1
 
LVL 16

Assisted Solution

by:Emmanuel Adebayo
Emmanuel Adebayo earned 250 total points
ID: 41804419
Hi,

For the best practice you have to take into consideration the following:
  - Minimal impact to the end user
  - Balance of security and lockdown goals
   - Minimal management overhead and complexity

For your case,

You have to determine the password complexity requirements just like Footech as mentioned. Other things to consider are

- The users profile, i.e Roaming or Mandatory or even local
- Do user's applications need access to the registry
- How is the printer going to be configure

Regards
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now