Questions tagged [group-policy]

Group Policy is a built-in feature of the Microsoft Windows operating systems. Group Policy allows administrators to automatically configure myriad options within the OS. These policies can be configured, and applied, either locally to the computer via Local Group Policy or remotely within an Active Directory environment.

Microsoft has added Group Policy Preferences Client Side Extensions, formerly a third-party tool called PolicyMaker, to its in-support Windows OSes. The CSEs greatly extend the number features which can be configured via Group Policy.

See the following links for more details.

http://gpsearch.azurewebsites.net - Searchable list of configurable group policies http://blogs.technet.com/grouppolicy - Microsoft’s official Group Policy blog http://blogs.technet.com/askds - Ask Directory Services is the official blog from Microsoft engineers supporting group policy and other related AD technologies

25 questions

votes

3 answers

Windows groups and permissions: Authenticated Users group meaning

What is the purpose of the "Authenticated Users" group in Windows? Under Linux it doesn't exist and I'm starting to think this is another idiosyncrasy or over-engineering of the Windows operating system. Here is why: Assume I want to know what…

windows windows-permissions group-policy

asked Jul 12 '13 at 11:53

dendini

votes

1 answer

Will enforcing this restriction on Domain Admins "break the network"?

Let's say we secure all servers in the domain.. Domain controllers allow RDP access only from jump servers Domain admins can't connect to non-dc servers And so forth This is all swell and should be considered a safe configuration to prevent the…

passwords memory domain domain-admin group-policy

asked Dec 09 '16 at 21:57

Franko

1,530
5
18
30

votes

2 answers

Python security hardening

I’m working for a large organization which is using some Windows products that require python to work. Python is used to execute built in utility scripts and the user never recognizes that python is involved, Since the security requirements of the…

hardening python group-policy

asked Jan 08 '15 at 09:17

andpou

votes

3 answers

Group Policy - Best Practice for Default Security Settings

I am currently working on hardening our Windows OS systems. I'm reviewing guidance from CIS and Microsoft Security Compliance Manager. What I have found is that many of the security settings are already set to the recommended setting by…

group-policy

asked Feb 02 '17 at 20:34

Dconsec

votes

1 answer

Should the "Users" group be removed from Windows Servers "Allow log on locally" Security GPO setting?

I know by default RDP does not allow any non-admin user to RDP into a machine unless we specify it. But a non-admin user can logon to the machine at the console. I was looking at the "Allow log on locally" GPO security setting under the User Rights…

windows-server group-policy

asked Sep 10 '15 at 18:05

cflyer

votes

1 answer

Why did Microsoft publish the CPassword AES key ca. 2012?

As outlined in Security Bulletin MS14-025, Microsoft acknowledges the way credentials had been stored in the group policy field "CPassword" is insecure and is not to be trusted any more. However according to their own Developer Documentation, they…

password-cracking data-leakage active-directory microsoft group-policy

asked Jun 23 '22 at 10:19

Al Longley

votes

1 answer

Risk around "Allow log on locally" for Domain Service Accounts

My organisation mandated that Windows Domain Service accounts internally should not have the "Allow log on locally" permission, and essentially be non-interactive. What exactly is the potential risk for enabling this policy for a service account?…

windows access-control group-policy

asked Jun 03 '20 at 11:48

user1876202

votes

1 answer

'Continue experiences on this device' group policy

In an enterprise or office setting, should I set 'Continue experiences on this device' under the group policy to be disabled? Why should I set it to be disabled, or why shouldn't I set it to be disabled, and what are the consequences if I didn't set…

windows group-policy

asked Jan 13 '19 at 00:41

NightMoon

votes

0 answers

What options exist for logging off users after x time of inactivity?

I'm looking at NIST SC-10, and I thought something simple would exist in Group Policy that would control this, but I haven't been able to find anything built in. Things I've thought about trying: Deploy some kind of script that disables the user…

network nist group-policy

asked Nov 19 '17 at 19:34

trueCamelType

votes

1 answer

How do I audit the effect of security policy on a computer?

I have developed different templates for local security policy. I have been using the program Nexpose to test the effects of those security policies but so far I am not able to detect the visible changes of policies on a vulnerability assessment…

windows compliance validation group-policy

asked May 28 '15 at 13:12

Summayya Shahzad

votes

2 answers

ByPass usb GPO with iphone -and probably other mobile-

So I am running pentest on a device running Win7 and admin user set group policy to disable all mass storage devices and all usb's. I have access to local user without privs. Although my usb stick wont work and group policy rules wont let me my USB…

windows mobile usb-drive privilege-escalation group-policy

asked Aug 21 '14 at 08:55

cengizUzun

votes

2 answers

Safe user/group for rsyslog to read application log?

I have an application which writes a logfile in /var/app/applog.log. This application has to be launched as root, but runs as app:app and can also be demoted to nobody:nobody What exactly is nobody:nobody and what priviledges does it have? Is it…

logging permissions group-policy

asked Jul 12 '13 at 16:54

user2284355

votes

1 answer

Multi-business data sharing and trust issues

Is there a way to establish data sharing between multiple (a couple dozen) businesses where it is the case that some companies don't trust others? This means that these companies are willing to share some their sensitive data with only select few,…

group-policy

asked Jan 10 '20 at 20:51

namu

votes

1 answer

Block AzureRM PowerShell Module

Is there a way to block AzureRM PowerShell module commands from being executed by certain Azure AD users somewhere in Azure group policy? Or is there a way to do this with PowerShell tools?

powershell azure restrictions group-policy

asked Sep 10 '18 at 16:29

C.J. May

votes

2 answers

Missing Powershell Logging Options in Group Policy Editor

I have configured a Windows 7 domain workstation and a Windows server 2012r2 server as the domain controller. After fully updating both machines, I followed the instructions here: https://msdn.microsoft.com/en-us/powershell/wmf/5.0/requirements to…

windows logging windows-server powershell group-policy

asked Nov 25 '16 at 14:01

Beetle

2 Next