A well thought out Domain Group Policy can enhance the security of a Domain, a bad one
will be a nightmare for the Domain users...
GPO's used in conjunction with a Windows Server that is a Domain Controller will enhance the security and operation of the client workstations.
By creating a Domain GPO you
can control services and features of all the computers that are members of the
Last week I wrote a small article about Autoplay, in a domain the IT department would use the Domain GPO to block Autoplay from running instead of going to each workstation and turning it off.
You can also set features such as the operation of browsers and the proxy IP address for those workstations or users authorized to use the internet in their job.
You can set a GPO for either machine or user.
- By setting a machine GPO such as DHCP service you can specify that all workstations have the DHCP service turned on but all exempt all Servers to have the DHCP turned off.
- By setting a user GPO you can set the company Anti Virus to run at a specific time each day along with when the AV will download updates.
- A GPO can be used to force changing the users password on a scheduled basis. It can be used to insure each password has complexity.
- A GPO can be used to control who has access to what computers by groups. Such as only Accounting Department can access the computers in that department and only Warehouse Department can access the computers in the Warehouse.
- Group Policies from a Domain take precedence over GPO's on a local machine. That is a
Domain Group Policy Option will over ride those on the workstation.
- If you set your Autoplay to enabled and for all drives but the Domain Administrator has decided that Autoplay is a dangerous feature and has turned it off then your settings will be overridden by the domain GPO.
Now here is a quandary: The US Government has been attacked numerous times and had sensitive data stolen by the use of Pen/Flash drives. Why doesn't the US Government just use a global GPO to turn off the assignment of a drive letter to external drives with exceptions for certain workstations authorized to use external drives?
GPO's can be assigned to a group of either users or computers (machines) or can be applied to all domain objects from the domain controller down.
As you can see by judicial use of GPO -
Domain Group Policy Option's you can control how workstations in a domain use software or hardware and what the end user can do on a workstation. (See page 66 in
Build a Server Guide for more information on GPO's for Domains).
You can do it manually for each user/machine or do it once and cover every thing, cool.