In this video, we’ll continue our discussion about GPO. We’ll cover:
- Default GPO Permissions
- Delegating GPO
- Security Settings
- Security Templates
Our first topic are Default GPO Permissions. Default GPO Permissions are GPOs that have always been in the system. But first let me show you the users that have full access to a GPO. First are the Domain Admins which have full control over the domain. And then there’s the Enterprise Admins which are nested under the Administrators Security Group, giving them permissions over the domain. And then there is Creator Owner, a special security group for GPO creators. If the user is delegated to do the permissions to create GPOs in an organizational unit, they will have full access over the GPOs but only in that particular organizational unit and this is only due to them being part of the Creator Owners Security Group. So if you want a user to be granted permissions over GPOs but not want them to be domain admins, you might as well add them to this security group. Then we move to the last one which is the Local System which requires full access to GPOs in order for them to be available in the domain. We should also know that for GPOs to work, Read and Apply needs to be activated from the GPO settings of Authenticated users which practically consists of everyone in the domain. Although, you can make exceptions for some users.
And then we move to Granting additional Permissions. You can give certain users additional permissions by adding them to groups with the permissions that you want them to have. Which you might want to avoid adding them to groups with High Level access, such as Administrators Security Group, for security reasons.
You could use the GPMC(Group Policy Management Console) to grant additional permissions.
- You can just click on the Organizational Unit that want to give user additional access to
- click on “delegation”
- then Choose the permissions that you want to give to the user
- Then add the user you want.
But if you want to add very specific permissions:
- You can click on “Advanced”
- add the user
- then choose the permissions you want to give to the user
- And then click ok
So if you just want a user to just edit policies, and not apply, link or unlink them to anywhere in the domain, you can just give them the read and write permissions from the GPMC. And if you want them to link GPOs, you can use the delegation on GPMC like what we did earlier or you could use the Delegation of Control Wizard.
Now let’s move to Group Security Settings. The following are the 4 major categories of Group Policy Settings that you need to know about. Although, you don’t need to memorize all the policies under each of these categories, but these would really come in handy, so you might as well familiarize them. There’s the User Rights, Security Options, User Account Control, and lastly the Audit Policies.
First let’s talk about the Default Domain Controller Policies. Generally we don’t want to edit/change anything in the Default Domain Controller and the Default Domain Policy to avoid confusion. Also, if you want to give a certain policy a higher priority, you can just click on the arrow right here to move it up or down in the list so that it will take precedence. Now let me show some useful security settings inside Default Domain Policy.
- First, right click on Default Domain Policy
- Then click on edit.
- then under Computer Configuration, open policies
- windows settings
- then security settings
- then we go to Account Policies
- and here you’ll find the Password Policy
Here you’ll see the default settings for password policies. Basically, the policies here are about:
- Password complexity
- How long passwords should be
- how long until password expires
- preventing users from using the same passwords
- How long until you can change your password again and etc.
If you want to see more details about these policies you can click on the policy, then click on explain. And here are the Account Lockout Policies, which basically contains everything regarding login attempts. By default, there are no enabled Lockout Policy, which means that hackers could perform a brute force attack against the server to gain access to the computer. And you don’t want that to happen. But if you enable these settings, that gives you a lot more protection against these attacks.
Then here under Local Policies, there’s the User Rights Assignment. Now, I would recommend that you familiarize yourself with these settings because these might come in handy and they pretty much explain themselves. Here you can assign users to add workstations to the domain, or force shut down from a remote system and etc. There’s also the Security Options, which contains things like Rename administrator accounts or Allow users to format and eject removable media and etc.
Then we move to Audit Policies, what this does is it creates event logs whenever I access objects of certain types. For example, account log on events. I can enable this and whenever a user logs on, it will be shown in the event log. Things like that. And these event logs by the way, can be viewed in the Server Manager, under tools then Event Viewer.
Now let’s move to Security Templates. These are pre-configured security settings which may be saved in .inf files, and then use these .inf files to apply the settings to a single or multiple machines which may be applied locally or through GPO. This will be very useful if you want to setup security settings for a computer that is not part of the domain. So here I created a new MMC by clicking on start, then run, then typing in MMC. Then added the security configuration and analysis and security templates snap-ins by using the add/remove snap-in feature.
Security Configuration and Analysis compares your local system with the security settings that are inside a specific .inf file. You can get these .inf files by saving security settings in your computer or downloading templates from various sources in the internet. And the MMC interface will show you how to use it. Then if you want to sync your local settings with the template, you click on security configuration and analysis. Then choose Configure Computer Now. Then it will apply all of those settings from the template.
And that’s the end of this video, thank you for watching and I hope you learned much in this video.