Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
Phone Get Quote
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Why are Group Policy settings essential?

Managing a huge IT infrastructure while also ensuring security, productivity, and a uniform user experience is a challenge for organizations. With Group Policy, network administrators have an integrated tool to specify managed configurations for your Active Directory (AD) users and computers. A few tweaks to your Group Policy settings can help you regulate a user's work environment, and seamlessly manage your operating systems and applications.

Top 8 useful Group Policy settings recommendations


Prohibit access to the control panel

Users can make extensive changes to their system settings using the control panel, and these changes can lead to security issues. For a safer business environment, limit control panel access to privileged users only. Access to the control panel can be limited by enabling the Prohibit access to Control Panel and PC settings policy.

User Configuration > Administrative Templates > Control Panel

Prevent access to the command prompt

The command prompt, in Windows, is used to run commands that perform advanced administrative functions. However, in the hands of malicious users, the command prompt can be used to compromise the integrity of the system. To prevent any harm to your network, restrict access to the command prompt using the Prevent access to the command prompt policy.

User Configuration > Administrative Templates > System

Deny all removable storage access

Removable devices are susceptible to viruses and malware, and enabling users to plug them into their computers can infect your entire network. Removable devices also allow bad actors to remove large amounts of data in a short time. You can prohibit the use of removable devices by enabling the All Removable Storage classes: Deny all access policy.

User Configuration > Administrative Templates > System > Removable Storage Access

Prohibit users from installing unwanted software

When users install unwanted software on their systems, cleanup and a complicated maintenance process for IT admins result. To disallow users from installing software, enable the Prohibit User Install policy.

Computer Configuration > Administrative Templates > Windows Components > Windows Installer

Reinforce guest account status settings

Built-in guest account enables users to login to a Windows system without requiring a password for authentication. This allows bad actors to login to your servers and domain controllers as a guest to access your resources. Even though guest accounts are disabled by default, hackers can easily override the default settings to wreak havoc in your network. Configuring the Accounts: Guest Account Status policy ensures the attempts of bad actors are blocked.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Do not store LAN Manager hash values on next password changes

Windows stores LAN Manager (LM) password hashes in the local Security Accounts Manager (SAM) database. These LM hashes are weak and can be easily decrypted to their clear-text format by attackers. To avoid this, prevent Windows from storing LM hashes by enabling the Network security: Do not store LAN Manager hash value on next password change policy.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Prevent auto-restarts with logged on users during scheduled update installations

Forced system restarts can be a pain during Windows updates. Restarts interrupt your work and can cause unsaved items to be lost. Enable the No auto-restart with logged on users for scheduled automatic updates installations policy to prevent Windows from restarting automatically.

Computer Configuration > Administrative Templates > Windows Component > Windows Update

Monitor changes to your GPO settings

Group Policy Object (GPO) settings should only be accessed by IT admins. Any unauthorized changes to these settings indicate a security breach. Tracking all changes to your GPO settings by defining the Audit Directory Service Access and Audit Directory Service Changes policies results in a more secure network.

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies/DS Access

Simplify your OU management
using ADAudit Plus

Using native tools to monitor and document changes made to your OUs while keeping track of the delegated permissions can be a time-consuming process. ADAudit Plus, a UBA-driven AD auditing solution from ManageEngine, provides customizable change audit reports that keep you informed of all changes made to your OUs, GPOs, and permissions.

Download a 30-day free trial.

ADAudit Plus Trusted By