Group Policy – CompTIA Security+ SY0-401: 5.3

Microsoft Windows provides some powerful management tools to help security everyone who is connected to a Windows Domain. In this video, you’ll learn about Group Policy and how security managers can use Group Policy to help tighten down their security posture.

<< Previous Video: Roles and Account CredentialsNext: Managing Password Policies >>


If you’re administering a lot of different systems, then you’ve probably run into the scenario where you’ve needed to manage or change one particular feature or setting on many different devices. And instead of going from one device to another to another individually, in the Windows world we do this with something called group policy.

This group policy management allows you to select different capabilities of the system and be able to manage or set those across entire groups or even your entire network and every computer within it. There are literally thousands of configuration settings within Windows, and group policy allows you to easily administer that from one separate application. This is something that’s a little bit different than setting permissions to an NTFS folder or a share that’s on the network. Those are very specific to gaining access to data.

The Group Policy settings allow you to change how the system is configured. Here are some good examples of user rights assignments within group policy. If you wanted to allow or not allow someone to change the system time, you can do that within group policy. You can allow or not allow someone to change the time zone. You can adjust memory quotas for a process or allow or disallow someone from logging on locally.

As I mentioned, there are thousands of these that you can choose from, and that gives the administrator of these systems a lot of control. This is a capability that is generally linked to Active Directory. When you have devices that are authenticated to one central directory system in Windows, you can then manage all of those devices. And you can even break out these group policies by different areas of the company or even different groups. If you wanted to set a certain set of group policies for the marketing department and have a different set for shipping and receiving, you can do all of that from the Group Policy Management editor.

There are generally two different areas in group policy that we would look at. One is the administrative policies and the other one is the security policies. In the administrative policies, we would do things like add or remove programs. Allow people to change sounds or prohibit them from changing any of the sounds. Allow or disallow font downloads. These are settings that you can really tweak and modify to get exactly the user experience that you would like, and to make sure that the desktop environments that they’re using are able to work without any type of problems.

The security policies are obviously much more focused on the security side of the operating system. We can specify what a minimum password length might be. We could require that someone authenticate to a system and must use a smart card during that authentication process. Or you can do things like enforce certain log in restrictions on the user. As you can see, you can spend a lot of time working on these group policies. But you’re also able to create a desktop that’s going to provide accessibility for your users, and at the same time keep everything secure.