Questions tagged [group-policy]

Group Policy is a built-in feature of the Microsoft Windows operating systems. Group Policy allows administrators to automatically configure myriad options within the OS. These policies can be configured, and applied, either locally to the computer via Local Group Policy or remotely within an Active Directory environment.

Group Policy is a built-in feature of the Microsoft Windows operating systems. Group Policy allows administrators to automatically configure myriad options within the OS. These policies can be configured, and applied, either locally to the computer via Local Group Policy or remotely within an Active Directory environment.

Microsoft has added Group Policy Preferences Client Side Extensions, formerly a third-party tool called PolicyMaker, to its in-support Windows OSes. The CSEs greatly extend the number features which can be configured via Group Policy.

See the following links for more details.

http://gpsearch.azurewebsites.net - Searchable list of configurable group policies http://blogs.technet.com/grouppolicy - Microsoft’s official Group Policy blog http://blogs.technet.com/askds - Ask Directory Services is the official blog from Microsoft engineers supporting group policy and other related AD technologies

25 questions
15
votes
3 answers

Windows groups and permissions: Authenticated Users group meaning

What is the purpose of the "Authenticated Users" group in Windows? Under Linux it doesn't exist and I'm starting to think this is another idiosyncrasy or over-engineering of the Windows operating system. Here is why: Assume I want to know what…
dendini
  • 680
  • 2
  • 8
  • 12
9
votes
1 answer

Will enforcing this restriction on Domain Admins "break the network"?

Let's say we secure all servers in the domain.. Domain controllers allow RDP access only from jump servers Domain admins can't connect to non-dc servers And so forth This is all swell and should be considered a safe configuration to prevent the…
Franko
  • 1,530
  • 5
  • 18
  • 30
6
votes
2 answers

Python security hardening

I’m working for a large organization which is using some Windows products that require python to work. Python is used to execute built in utility scripts and the user never recognizes that python is involved, Since the security requirements of the…
andpou
  • 61
  • 2
6
votes
3 answers

Group Policy - Best Practice for Default Security Settings

I am currently working on hardening our Windows OS systems. I'm reviewing guidance from CIS and Microsoft Security Compliance Manager. What I have found is that many of the security settings are already set to the recommended setting by…
Dconsec
  • 171
  • 7
6
votes
1 answer

Should the "Users" group be removed from Windows Servers "Allow log on locally" Security GPO setting?

I know by default RDP does not allow any non-admin user to RDP into a machine unless we specify it. But a non-admin user can logon to the machine at the console. I was looking at the "Allow log on locally" GPO security setting under the User Rights…
cflyer
  • 503
  • 5
  • 8
4
votes
1 answer

Why did Microsoft publish the CPassword AES key ca. 2012?

As outlined in Security Bulletin MS14-025, Microsoft acknowledges the way credentials had been stored in the group policy field "CPassword" is insecure and is not to be trusted any more. However according to their own Developer Documentation, they…
3
votes
1 answer

Risk around "Allow log on locally" for Domain Service Accounts

My organisation mandated that Windows Domain Service accounts internally should not have the "Allow log on locally" permission, and essentially be non-interactive. What exactly is the potential risk for enabling this policy for a service account?…
user1876202
  • 159
  • 5
3
votes
1 answer

'Continue experiences on this device' group policy

In an enterprise or office setting, should I set 'Continue experiences on this device' under the group policy to be disabled? Why should I set it to be disabled, or why shouldn't I set it to be disabled, and what are the consequences if I didn't set…
NightMoon
  • 67
  • 5
3
votes
0 answers

What options exist for logging off users after x time of inactivity?

I'm looking at NIST SC-10, and I thought something simple would exist in Group Policy that would control this, but I haven't been able to find anything built in. Things I've thought about trying: Deploy some kind of script that disables the user…
2
votes
1 answer

How do I audit the effect of security policy on a computer?

I have developed different templates for local security policy. I have been using the program Nexpose to test the effects of those security policies but so far I am not able to detect the visible changes of policies on a vulnerability assessment…
2
votes
2 answers

ByPass usb GPO with iphone -and probably other mobile-

So I am running pentest on a device running Win7 and admin user set group policy to disable all mass storage devices and all usb's. I have access to local user without privs. Although my usb stick wont work and group policy rules wont let me my USB…
2
votes
2 answers

Safe user/group for rsyslog to read application log?

I have an application which writes a logfile in /var/app/applog.log. This application has to be launched as root, but runs as app:app and can also be demoted to nobody:nobody What exactly is nobody:nobody and what priviledges does it have? Is it…
user2284355
  • 181
  • 1
  • 5
2
votes
1 answer

Multi-business data sharing and trust issues

Is there a way to establish data sharing between multiple (a couple dozen) businesses where it is the case that some companies don't trust others? This means that these companies are willing to share some their sensitive data with only select few,…
namu
  • 121
  • 3
2
votes
1 answer

Block AzureRM PowerShell Module

Is there a way to block AzureRM PowerShell module commands from being executed by certain Azure AD users somewhere in Azure group policy? Or is there a way to do this with PowerShell tools?
C.J. May
  • 23
  • 4
2
votes
2 answers

Missing Powershell Logging Options in Group Policy Editor

I have configured a Windows 7 domain workstation and a Windows server 2012r2 server as the domain controller. After fully updating both machines, I followed the instructions here: https://msdn.microsoft.com/en-us/powershell/wmf/5.0/requirements to…
Beetle
  • 303
  • 2
  • 9
1
2