| certifications | microsoft - Michael Hinckley
7 Most Useful AD Group Policy Settings
Imagine you and your entire staff need to work remotely as quickly as possible. Everyone needs to be out of the office, set up on their accounts, on their machines, and on a video conferencing app. On top of all that, this process should be seamless and secure. Everything needs to just work! Can you do that in the next day or so?
We imagine this scenario is way too familiar to many IT pros — especially at the onset of the COVID-19 pandemic. With that in mind, let's discuss what Group Policies are, why to use them, and what needs to be set up now, if it hasn't already.
What are Group Policies?
Group Policies are the easiest method administrators can use to configure computer and user settings on their networks using Active Directory Domain Services (AD DS). As long as computers are joined to your domain and your users log in with domain credentials, you can set Group Policies that will reduce help desk tickets and costs, and control all configurations. All the while keeping your user base happy and secure.
Why You Should Use Group Policies
We will discuss some of the more important settings in detail below but for now know that if correctly configured you can prevent:
- Data breaches
- Unauthorized access to specific resources
- Running of scripts
- Perform simple tasks such as forcing a homepage to open for every user in the network
Helping users get up and get configured can be a pleasure and helps keep things moving along. When you must step in and continually help many users with the same issues, your time and effort is not being used optimally. Using Group Policies helps save time by deploying settings to all users. This prevents wasting time and keeps your environment safe.
Do You Have Group Policies in Your Office 365 License?
Microsoft Group Policies have always been available in on-premise Office solutions. In Office 365, Group Policy availability depends on the plan you have purchased.
Here are the versions that do come with it.
- Office 365 ProPlus
- Office 365 Enterprise E3
- Office 365 Enterprise E5
If your plan does not come with Group Policy (any of the Office 365 Business plans, Education, or Enterprise and Government E1 or K1), you can upgrade the license to any of the plans that do within your portal. You will have to uninstall and reinstall Office software on all machines one by one after switching to the new plan. In short, realize quickly if you need them so you are not faced with a massive upgrade project in the middle of everything else.
Here is a table from a TechNet article that covers what offering has Group Policy support included in Office 365 plans.
|Enterprise value||Office Professional Plus 2013||Office Professional Plus 2016||Office Professional Plus 2019||Office 365 ProPlus||Office 365 Business||Office 365 Business Essentials||Office 365 Business Premium|
|Group Policy support||Yes||Yes||Yes||Yes||No||No||No|
7 Must-Have Group Policy Settings
Think of Group Policies in Lord of the Ring terms "one set of policies to rule them all." And here are the 7 most important for any systems administrator.
1. The Control Panel
Who really controls the control panel? You as the admin of your company's computer? The user? It is important to set limits for Control Panel access in a business IT environment. This setting provides you, the admin, with the power to make sure users cannot have the ability to manage their computers. There are two ways to take control via Group Policies. You can either block total access to the Control Panel or allow limited access.
Why you need control panel: Just opening the Control Panel and looking at what can be done should be enough to scare any admin. This is where users can change account settings, add unauthorized accounts, add/change screen savers (a big time security risk), install programs (see more below), add hardware and devices and change backup settings.
2. Restrict Access to the Command Prompt
Command prompt access means the ability to run scripts. If you think a user can do a fair amount of damage just by clicking around, imagine what they can do if commands are run on the ENTIRE environment.
To be fair, some commands do help batch tasks. But is it worth the headache if a user reads a blog post and runs commands that would otherwise be deemed undesirable, circumventing security restrictions? We therefore recommend disabling it altogether.
Why you need to restrict command prompt access: A skilled user can literally wipe out everything with one script. With this level of access open, you are potentially putting big capabilities into the hands of users who are not trained — or authorized to do so.
3. Turn Off Forced Restarts
How many times have you been in the middle of something (and have ignored the notices) and boom you go from productiveness to Windows Update? Extremely annoying does not even come close to describe the feeling. While users can postpone the process to an extent, it eventually gets out of hand and your inbox tickets go up.
Group Policy settings can permanently disable forced restarts and control them to run during set times so as to not interfere with user productivity. Users can then just log in and the update can run as they start up their machines or are offline waiting for a restart.
Why you need to turn off forced restarts: Windows 10 famously causes frustrations because of forced updates and users will be upset. You may have to intervene to retrieve lost work. Do yourself a favor and set a Group Policy that allows you to delay major upgrades and updates until you want to do them.
4. Do Not Allow Removable Media Drives
You may be asking who uses removable media drives (USB sticks) now that we are in the cloud. However, a surprising number of people still use them to copy large files.
Also, think of how many users could be syncing their personal phones while they are only meant to be charging. These are just two harmless situations, but think what could happen if the device containing malware is synced to the network. One plug in and the whole network will need more than a restart. There are also options for disabling DVDs, CDs, and yes even floppy drives. I heard a funny story once about a person getting fired when a Not Safe for Work DVD got stuck in a laptop.
Why you need to disallow media drives: Think of it as securing your doors under lock and key. You are also securing it on the way out as well. Intellectual property cannot just walk out on a USB stick if you disable removable drives entirely. This is an especially large concern when you are dealing with a remote office environment.
5. Disable Software Installations and Prevent Users From launching Microsoft Store Apps
Users will try to download anything that can help them with their work. You as an IT admin do not have the time to vet everything on the internet. The tradeoff of having a disappointed user blocked from downloading from the internet is certainly worth the potential efforts toward maintenance and cleanup after a harmless yet bad download is installed.
Why You Need This SettingApplications like Zoom became popular in wake of the COVID-19 pandemic. In some cases, user security and data were compromised as fast as the solution was installed and used. IT needs to approve and configure any new solution. End users need to be proactive, but so do you in protecting your environment. You could steer your users to vetted Office 365 solutions like Teams instead of untested 3rd party applications.
6. Turn Off OneDrive
It is a helpful application, but newly remote users syncing massive amounts of documents may create bandwidth issues. It also can create phantom files and folder issues.
Microsoft has made OneDrive part of the system so users are unable to disable it. Only via Group Policy can you remove OneDrive from anywhere in the system. This setting can also make the shortcut in the File Explorer sidebar disappear as well.
Why you need to remove OneDrive: This is perhaps not a common Top-10 setting that gets mentioned but, let us delve a bit into the sync issue mentioned above to point out why this may be needed. OneDrive can sync directly to folders in File Explorer. If a company suddenly sends everyone home to work, users are going to (rightly so) set themselves up with what they need. If an intranet like SharePoint is not used frequently then users will use what they have on hand, OneDrive. So, what do they do?
Drag and drop all that they need so they can have their files ready when they work at home. Now imagine the time it is going to take to fully sync for each user if multiple users have the same folders and files are going in and out of sync. If Michael renamed a folder, for example, after Sarah hit sync it is possible that she will not be able to find the folder even if she knows the new name.
7. Switching Off Windows Defender
Windows Defender is Microsoft's built-in security suite. They do not let you uninstall it, but users can disable it when installing another security suite from a third-party provider.
You can disable this setting without having to install a replacement with a Group Policy setting. Security decisions need to be in your hands and not in the hands of your users. This setting helps you maintain predetermined and installed security features.
Why you need to switch Windows Defender: Letting users decide how and what to use to maintain security is a bad idea. Security is a large issue and rightly so. All the time and effort planning and implementing can be undermined by having this setting not turned on. Keeping this setting off can possibly mean NO security on at all.
Having Group Settings configured correctly gives you the chance to maximize productivity and security. Even if you do not have to quickly get your organization remote, these settings are needed, and you should spend time familiarizing yourself with them. As you can see from our examples above, not having Group Policy Settings can create myriad issues that you do not need/want to deal with. Especially now that you are setting up your organization to the new worlds of remote and cloud on the go.
These configurations can quickly let you effectively manage users, access, hardware, and solutions without having to overhaul everything or deal with user issues one at a time. This will allow you to better position your IT environment to the coming challenges your organization(s) will face.