Active Directory 2008: GPO Security Settings Facts…

The following table describes common GPO security setting categories:

Security Setting Category Description
Account Policies Use Account Policies to control   the following:

  • Password settings
  • Account lockout settings
  • Kerberos settings

Note: Account policies are only in effect when configured in a   GPO linked to a domain.

Local Policies/Audit Policy Use Audit Policy settings to   configure auditing for event classes (such as logon, account management, or   privilege use).
Local Policies/User Rights Assignment User rights determine what actions   a user can perform on a computer or domain. User rights settings identify   users or groups with the corresponding privilege. Examples of user rights   include:

  • Access this computer from the        network (the ability to access resources on the computer through a        network connection)
  • Allow log on locally (the        ability to log on to the computer console)
  • Allow log on through Terminal        Services (the ability to log on using a Remote Desktop connection)
  • Back up files and directories        (does not include restoring files and directories)
  • Shut down the system
  • Remove a computer from a        docking station
Local Policies/Security Options Unlike user rights, security   options are either enabled or disabled for everyone. Examples of Security   Options policies include:

  • Computer shut down when        Security event log reaches capacity
  • Unsigned driver installation
  • Ctrl+Alt+Del required for log        on
Event Log Use Event Log settings to   configure Application, Security, and System event logs. Using these policies   you can define:

  • Who can access the logs.
  • The maximum file size.
  • Log retention (i.e., the        minimum number of days to keep logs or when events are overwritten or        deleted).
Restricted Groups Use Restricted Groups to limit the   membership of specific security groups. You can set two properties for   groups:

  • Members designates who does and does        not belong to the group.
  • Members Of designates other groups to        which the group belongs.
System Services Use System Services to configure   the startup type and authorization for the system services.
Registry Use Registry policies to configure   specific registry keys and values and configure permissions on the registry   settings. For example, you can configure permissions that allow specific   users to read the registry value, set (change) the value, list subkeys, or   modify key permissions.
File System Use File System policies to   configure file and folder permissions that apply to multiple computers. For   example, you can limit access to specific files that appear on all client   computers.
Wireless Network Use Wireless Network policies to   configure the following for your wireless network:

  • Protection from unauthorized        access by users with compatible WLAN adapters.
  • Protection for wireless        network data transfers (based on Group Policy settings).
  • Use Group Policy to configure        certificate-based or password-based authentication client        authentication.
Public Key Policies Use Public Key Policies to:

  • Enable automatic certificate        enrollment.
  • Manage data recovery agents        (DRAs).
  • Create certificate trust        lists (CTLs).
  • Automatically establish trust        relationships with CAs.
Software Restriction Policies Use Software Restriction Policies   to control which software can run on domain computers. You can use software   restrictions to:

  • Identify allowed or blocked        software.
  • Allow users to run only the        files you specify on multi-user computers.
  • Determine who can add trusted        publishers.
  • Apply restrictions to        specific users or all users.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s