We help IT Professionals succeed at work.

Setting up of Group Policies in Windows 2019

Hi Friends

I am new to Win 2019, i would like some assistance in configuring group policy. I am looking to achive the following through group policies:-
a. USB Blocking
b.Password Policy to be set across all users in ADS.
c. Account lockout Policy
d. Desktop idle timeout ( For locking systems after specific intervals of non-use)

Regards

Chaitanya
Comment
Watch Question

System Administrator
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
Open Group Policy Editor and create a new GPO:

USB Blocking
Computer Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access -> All Removable Storage classes: Deny all access -> Enabled

Password Policy
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Enforce password history (eg. 5 passwords remembered)
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Minimum password age (eg. 5 days)
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Maximum password age (eg. 45 days)
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Minimum password lenght (eg. 12 characters)
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Password must meet complexity requirements -> Enable

Account lockout Policy
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy -> Account lockout threshold (eg. 5 minutes)
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy -> Account lockout duration (eg. 5 invalid logon attempts)

Desktop idle timeout
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Interactive logon: Machine inactivity limit -> Enabled (eg. 600 seconds)

Read the description carefully to set the policy correctly.