Solved

Windows 2012 Group Policy - Best Practises

Posted on 2016-09-18
3
113 Views
Last Modified: 2016-09-26
Please share the best group policies which can be implemented with Windows 2012.
Iam going to have a Windows 2012 Domain Controller and grup policy needs to be implemented.

Basically looking for some of the main group policies which can be implemented for users.

Please advice
0
Comment
Question by:kurajesh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
Felicia King earned 250 total points
ID: 41803687
First, implement central store.
Your PDC should be Windows 2012R2 at least. The download the GPO packs for everything that is relevant.
You always have to search for these by keyword because direct linking will likely never take you to the most current versions. And if you aren't using the most current versions, you will find settings missing.

Windows 10 https://www.microsoft.com/en-us/download/details.aspx?id=48257
Win 8 and Server 2012   https://www.microsoft.com/en-us/download/details.aspx?id=43413

You install all of the latest ADMX packs on your PDC. They install to a location inside of Program Files (x86).
Then you setup Central Store.
https://support.microsoft.com/en-us/kb/929841
https://support.microsoft.com/en-us/kb/3087759

Note that you will encounter a couple errors when opening GPMC.MSC afterwards.
ERRORS can be avoided by doing this reconciliation immediately after implementing central store.
Delete Microsoft-Windows-Geolocation-WLPAdm.admx and associated adml
Delete WinStoreui.admx and associated adml

https://support.microsoft.com/en-us/kb/3077013
https://www.404techsupport.com/2015/11/microsoft-policies-windowsstore-defined-updating-admx-central-store/


Ok, now that you have Central Store setup properly, follow some other basic rules.
- Always configure Windows Time service properly on domain controllers policy
- Configure Autosite coverage on domain controllers policy
- Configure Windows Firewall policy (1 for workstations, 1 for domain controllers, 1 for SQL servers, etc.)
- Only ever put computer config OR user config in one policy. Then disable the settings side that is not being used. This will help GPO process faster.
- Apply computer config policies to OUs that contain computer objects.
- Apply user config policies to OUs that contain user objects.
- Always configure security policy for workstations, member servers, domain controllers. There should be three separate policies.
- Enable auditing and event logs
- Enable proper password policies
- Specify screensaver timeout lock and power profile settings for end users and their computers. Power profile goes on the computers, and screensaver control panel settings go on users.

There is a lot more to it than this, but I think this will really get you setup with a proper foundation.
0
 
LVL 40

Expert Comment

by:footech
ID: 41803690
There's no such thing as the "best group policies".  What you decide to implement is completely dictated by the needs of your network and users.

The only settings that I would say I recommend for practically every network are the password requirements, such that you don't let users set simple short passwords, and that accounts are locked automatically if too many incorrect passwords (say, 10) are entered in a short period of time (30 min).  The accounts can auto-unlock after several minutes (15).
1
 
LVL 17

Assisted Solution

by:Emmanuel Adebayo
Emmanuel Adebayo earned 250 total points
ID: 41804419
Hi,

For the best practice you have to take into consideration the following:
  - Minimal impact to the end user
  - Balance of security and lockdown goals
   - Minimal management overhead and complexity

For your case,

You have to determine the password complexity requirements just like Footech as mentioned. Other things to consider are

- The users profile, i.e Roaming or Mandatory or even local
- Do user's applications need access to the registry
- How is the printer going to be configure

Regards
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question