Active Directory Group Policies (GPO): Understanding Why It Is Important and How to Manage Them in GPOAdmin

Group Policy is an essential element of any Microsoft Active Directory (AD) environment. Its main goal is to give IT administrators the ability to centrally manage users and computers in a domain. Group Policy, in turn, is made up of a set of policies called Group Policy Objects (GPOs). Microsoft has thousands of different policies and settings implemented in which you can drown and then not emerge. All of them are described in detail in the reference table


In this article we will talk about the work on setting up group policies and a handy tool to simplify their management – Quest GPOAdmin. Details under the cut.

How Group Policy Works

When you create an AD domain, two GPOs are automatically created:

Default Domain Policy sets basic settings for all users and computers in the domain in three dimensions: password policy, account lockout policy, and Kerberos policy.

Default Domain Controllers Policy sets basic security and auditing settings for all domain controllers within a domain.

For the settings to take effect, the GPO must be applied (linked) to one or more Active Directory containers: site, domain, or organizational unit (OU). For example, you can use Group Policy to require all users in a specific domain to use more complex passwords, or to prohibit the use of removable media on all computers only in the financial department of that domain.

The GPO has no effect until it is associated with an Active Directory container, such as a site, domain, or organizational unit. Any GPO can be associated with multiple containers, and conversely, multiple GPOs can be associated with a specific container. In addition, containers inherit GPOs, for example, a GPO associated with an OU applies to all users and computers in its child OUs. Likewise, a GPO applied to an OU applies not only to all users and computers in that OU, but is also inherited to all users and computers in child OUs.

The settings of different GPOs may overlap or conflict. By default, GPOs processed in the following order (moreover, those created later have priority over those created earlier):

  • Local (individual computer)
  • Website
  • Domain
  • Organizational unit

This sequence can and should be intervened by doing any of the following:

Changing the sequence of a GPO… A GPO that is created later is processed last and has the highest priority, overwriting settings in previously created GPOs. This works in case of conflicts.

Blocking inheritance… By default, child objects inherit all GPOs from the parent, but you can block this inheritance.

Force Ignore GPO Link… By default, parent policy settings are overwritten by any conflicting child policies. You can override this behavior.

Disable GPO Links… By default, processing is enabled for all GPO links. You can prevent a GPO from being applied to a specific container by disabling the link to that container’s GPO.

Sometimes it is difficult to understand which policies are actually applied to a particular user or computer, to determine the so-called. Resultant Set of Policy (RSoP) Microsoft offers a command line utility GPResult, which is able to generate an RSoP report.

For Group Policy Management, Microsoft provides the Group Policy Management Console (GPMC). Using this free Group Policy Editor, IT administrators can create, copy, import, back up, restore, and report on GPOs. Microsoft also offers a range of GPMC interfaces that you can use to programmatically access many of the operations supported by the console.

By default, anyone in the Domain Admins group can create and manage GPOs. In addition, there is a global group called Group Policy Creator Owners; its members can create GPOs, but they can only modify the policies they create, unless they are specifically granted edit permissions to other GPOs.

In the same console, you can delegate permissions to secondary IT administrators for various actions: create, edit, and create links for specific GPOs. Delegation is a valuable tool; for example, you can give the team responsible for managing Microsoft Office the ability to edit the GPOs that are used to manage Office settings on a user’s desktop.

Group Policy Management and Delegation

Delegation is one thing that quickly gets out of hand. Rights are delegated this way and that and, in the end, the wrong people can get the wrong rights.

The value of Group Policy lies in its power. In one fell swoop, you can apply policies across your domain or organizational unit that dramatically improve security or improve business performance. Or vice versa.

But this power can also be abused, intentionally or accidentally. One incorrect change to a GPO can lead to a security breach. An attacker or malicious administrator can easily modify GPOs to, for example:

  • Allow unlimited attempts to guess the account password.
  • Enable removable media connectivity to simplify data theft.
  • Deploy malware to all machines in the domain.
  • Replace sites stored in bookmarks of users’ browsers with malicious URLs.
  • Run a malicious script on computer startup or shutdown.

Interestingly, hackers don’t even need a lot of skill to break into GPOs. All they need to do is retrieve the credentials of an account that has the necessary rights for the desired GPO. There is an open source tool called BloodHound (just like the famous band, only without Gang) that will provide them with a list of these accounts. Multiple targeted phishing attacks and a hacker is in control of a GPO. The Default Domain Policy and the Default Domain Controllers Policy are the most popular targets because they are created automatically for each domain and control important parameters.

Why Built-in GPO Tools Are Not Convenient enough

Unfortunately, the built-in tools do not always provide a convenient format for maintaining the security and control of Group Policy. Changes made to GPOs take effect by default as soon as the window is closed – there is no Apply button that would give administrators a chance to stop, think again, and identify errors before an organization is attacked.

Because security permissions are based on GPOs, any domain administrator can change any security setting on a GPO. And even parameters that should prevent this person from malicious actions. For example, an administrator can disable a GPO that is responsible for allowing logins on a specific server that hosts sensitive data. Well, then copy some or all of the valuable content to your computer and sell on the darknet

But the worst thing about this whole GPO security story is that settings changes are not tracked in their own security logs, there are no warnings, therefore, it is impossible to track such violations, even if you use a SIEM system.

How to secure GPOs (Group Policy Objects)

The best way to minimize the risk of misconfiguring GPOs is to create a layered security framework that complements your own tools. To securely protect Group Policy, you need solutions that will:

  • Understand who has access to which GPOs.
  • Implement a workflow with a reconcile and separation of duties option to manage changes to a GPO.
  • Track, monitor, and notify GPO changes.
  • Prevent most important GPO settings from being changed.
  • Quickly roll back unwanted GPO changes.

To perform the tasks listed above (and not only them), we suggest taking a closer look at the special proxy solution GPOAdmin. Below we will provide a few screenshots of the interface of this product and tell you about its capabilities.

GPO Consolidation

In the interface, you can select redundant or conflicting Group Policy settings and combine them into a single GPO or create a new one.

Rollback. You can easily roll back to previous versions of GPOs and remediate the negative impact.

Customizable workflow… In the GPOADmin interface, you can predefine automatic actions for various scenarios.

Protected Settings Policies. Define the list of parameters by which the allowed settings for policies are checked.

Facility management. The interface makes it easy to determine who is responsible for managing certain policies.

Confirmation by email. You can approve or reject requests to change a GPO directly from their mail.

Custom email templates. Email templates can be customized for specific roles.

Synchronizing GPO. The ability to synchronize settings between multiple GPOs is available.

Comparison of GPO. Ensure the integrity of your GPO settings and reduce the risk of policy violations.

With GPOAdmin, you can clean up the mess of dozens of administrators who might intentionally or accidentally make incorrect changes to GPOs. Now everyone will know about each change.

We are ready to show you or deploy the solution to your infrastructure so you can see the value of GPOAdmin for your organization. The solution, indeed, will help protect yourself from fatal errors and put things in order in the domain. Contact us in a way convenient for you

We also have:

Who did it? We automate information security audit

What useful things can be extracted from the logs of a Windows workstation

Access control and security reporting for the Microsoft environment in Quest Enterprise Reporter

Let’s compare tools for auditing changes in Active Directory: Quest Change Auditor and Netwrix Auditor

Sysmon can now write clipboard contents

We enable the collection of events about the launch of suspicious processes in Windows and identify threats using Quest InTrust

How InTrust Can Help Reduce RDP Login Failures

How to reduce the cost of ownership of a SIEM system and why you need Central Log Management (CLM)

We identify a ransomware attack, gain access to a domain controller and try to resist these attacks

Facebook group

Youtube channel

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *