none
In a Business environment, what are the necessary Group Policy configurations? RRS feed

  • Question

  • Hi all,

    I'm dabbling in group policy configuration for users and computers in an active directory domain, using Windows Server 2012 R2. I was just wondering what are considered best practices and must haves as far as Group Policy goes?

    Main Considerations:

    • Software Restriction Policies (E.g. Disabling run command)
    • Password Policies (E.g. Minimum password age)
    • Basic Firewall Configuration
    • Software Deployment (What software is a must have in general)
    • Any security configurations within group policy

    I'm curious to know what those more experienced within this industry believe are the best practices and would love some insight!

    • Changed type Natasha L Thursday, June 29, 2017 2:48 PM
    Thursday, June 22, 2017 11:10 AM

Answers

  • Hi,

    •Software Restriction Policies (E.g. Disabling run command)

    Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. I think it is not possible to disable run command with SRP.

    https://technet.microsoft.com/en-us/library/hh831534(v=ws.11).aspx

    •Password Policies (E.g. Minimum password age)

    Tip: Best Practices for Enforcing Password Policies

    https://technet.microsoft.com/en-us/library/ff741764.aspx

    •Basic Firewall Configuration

    The best way to manage Windows Firewall settings in an organization network is to use Active Directory and the new Windows Firewall settings in Computer Configuration Group Policy.

    Deploying Windows Firewall Settings With Group Policy

    https://technet.microsoft.com/en-us/library/bb490626.aspx

    •Software Deployment (What software is a must have in general)

    There is no such best practice for your requirement.

    For software installation in domain environment, below information should be helpful to you.

    Software Installation extension of Group Policy is used to centrally manage software distribution. You can assign and publish software for groups of users and computers using this extension.

    MSI: Application Deployment via MSI / GPO

    https://blogs.technet.microsoft.com/askperf/2009/04/10/msi-application-deployment-via-msi-gpo/

    How to Install an MSI File Through Group Policy

    http://smallbusiness.chron.com/install-msi-file-through-group-policy-47495.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Besides, we recommend specifying the following settings in the GPO (Group Policy) to ensure that the MSI distribution process is smooth and seamless:

    Computer Configuration > Policies > Administrative Templates > Windows Components> Window Installer > Always install with elevated privileges

    Computer Configuration > Policies > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon

    Computer Configuration > Policies > Administrative Templates > System > Group Policy > Software Installation policy processing (check "Allow processing across a slow network connection")

    •Any security configurations within group policy

    Configuring Security Options

    https://technet.microsoft.com/en-us/library/dd277405.aspx

    Group Policy Security Settings

    https://technet.microsoft.com/en-us/library/cc960657.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by AlvwanModerator Friday, June 30, 2017 2:27 PM
    • Marked as answer by Natasha L Monday, July 3, 2017 8:30 AM
    Friday, June 30, 2017 8:21 AM
    Moderator