Professional Documents
Culture Documents
Best Practices
Group Policy Design Best Practices
Group Policy is a series of settings in the Windows registry that control security, auditing and other
operational behaviors. For example, Group Policy enables you to prevent users from accessing certain files
or settings in the system, run specific scripts when the system starts up or shuts down, or force a particular
home page to open for every user in the network. Here are Active Directory Group Policy best practices that
will help you to secure your systems and optimize Group Policy performance.
Use the Default Domain Policy for account, account lockout, password and Kerberos policy settings only; put
other settings in other GPOs. The Default Domain Policy applies at the domain level so it affects all users and
computers in the domain.
Use the Default Domain Controller Policy for the User Rights Assignment Policy and Audit Policy only; put
other settings in separate GPOs.
However, even for the policies listed above, it is better to use separate GPOs.
Having a good OU structure makes it easier to apply and troubleshoot Group Policy. Don’t mix different
types of AD objects in the same OUs; instead, separate users and computers into their own OUs and then
create sub OUs for each department or business function. Putting users and computers in separate OUs
makes it easier to apply computer policies to all computers and user policies to only the users. It is easier to
create a GPO and link it in many OUs than to link it to one OU and deal with computers or users that the
policy should not affect. However, don’t plan your OU architecture based solely on how you will linking
Group Policies to it.
2
Give GPOs descriptive names
Being able to quickly identify what a GPO does just looking at the name will make Group Policy
administration much easier. Giving a GPO a generic name like “pc settings” will confuse sysadmins. For
example, you might use the following naming patterns:
U_SoftwareRestrictionPolicy
U_SoftwareInstallation
C_DesktopSettings
CU_AuditSettings
Create each GPO according to its purpose rather than where you're linking it to. For example, if you want to
have a GPO that has server hardening settings in it, put only server hardening settings in it and label it as
such.
3
Apply GPOs at the OU root level
Applying GPOs at the OU level will allow sub OUs to inherit these policies; you don’t need to link the policy
to each sub OU. If you have users or computers that you don’t want to inherit a setting, then you can put
them in their own OU and apply a policy directly to that OU.
Those folders are not OUs so they cannot have GPOs linked to them. The only way to apply policies to those
folders is to link them to the domain level, but as stated above, you should avoid doing that. So as soon as
a new user or computer object appears in these folders, move it to the appropriate OU immediately.
The most important GPO changes should be discussed with management and fully documented. In
addition, you should set up email alerts for changes to critical GPOs because you need to know about
these changes ASAP in order to avoid system downtime. You can do this using PowerShell scripts or, more
conveniently, with IT auditing software like Netwrix Auditor for Active Directory.
4
Avoid using blocking policy inheritance and policy
enforcement
If you have a good OU structure, then you can most likely avoid using blocking policy inheritance and policy
enforcement. These settings can make GPO troubleshooting and management more difficult. Blocking
policy inheritance and policy enforcement are never necessary if the OU structure is designed properly.
Browser Settings
Security Settings
AppLocker Settings
Network Settings
Drive Mappings
However, keep in mind that larger GPOs with more settings will require less processing at log on (since
systems have to make fewer requests for GPO information); loading many small GPOs can take more time.
However, large GPOs can have GPO setting conflicts that you have to troubleshoot, and you’ll have to pay
more attention to GPO inheritance.
5
Login scripts downloading large files
Using excessive Windows Management Instrumentation (WMI) filters (see the next section for more
information)
User personal folders applied via GPO
6
Use Advanced Group Policy Management (AGPM)
AGPM provides GPO editing with versioning and change tracking. It is part of the Microsoft Desktop
Optimization Pack (MDOP) for Software Assurance and can be downloaded from
https://www.microsoft.com/en-us/download/details.aspx?id=54967.
Configure daily or weekly backup of policies using Power Shell scripting or a third-party solution so that in
case of configuration errors, you can always restore your settings.
7
Disabling automatic driver updates on your system
Driver updates can cause serious problems for Windows users: They can cause Windows errors,
performance drop or even the dreaded blue screen of death (BSOD). Regular users can’t switch updates off
since it’s an automated feature. Windows Group Policy settings can be changed to disable automatic driver
updates, using the “Turn off Windows Update device driver searching” policy. However, you must specify the
hardware IDs of the devices you want to stop updates on. You can find this information in Device Manager.
8
Disable NTLM in your network infrastructure
NTLM is used for computers that are members of a workgroup and local authentication. In an Active
Directory environment, Kerberos authentication has to be used instead of NTLM, because it is stronger
authentication protocol that uses mutual authentication rather than the NTLM challenge/response method.
NTLM has a lot of known vulnerabilities and uses weaker cryptography, so it is very vulnerable to brute-force
attacks. You should disable NTLM authentication in your network using Group Policy to allow only Kerberos
authentication, but first ensure that both Microsoft and third-party applications in your network do not
require NTLM authentication.
About Netwrix
Netwrix Corporation is a software company focused exclusively on providing IT security and operations
teams with pervasive visibility into user behavior, system configurations and data sensitivity across hybrid IT
infrastructures to protect data regardless of its location. Over 10,000 organizations worldwide rely on
Netwrix to detect and proactively mitigate data security threats, pass compliance audits with less effort and
expense, and increase the productivity of their IT teams.
Founded in 2006, Netwrix has earned more than 140 industry awards and been named to both the Inc. 5000
and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.
Corporate Headquarters:
300 Spectrum Center Drive, Suite 200, Irvine, CA 92618
Phone: 1-949-407-5125 Toll-free: 888-638-9749 EMEA: +44 (0) 203-588-3023 netwrix.com/social
Simplify Group
Policy Auditing