kentoh - Fotolia
When desktop admins don't use Group Policy effectively, it can be a major IT headache.
Group policies are the primary mechanism for enforcing configuration on various Windows settings. Group policies play an important role in Windows management, so it is critically important to make sure that you as an admin use them effectively and that you construct and maintain policies in a way that is easy to manage.
When it comes to Windows 10 desktops, you should first determine what you hope to accomplish through the use of group policies. In most cases, group policies are configured with the goal of maintaining the operating system's health and security.
The most common use for Group Policy settings is to enforce password requirements, but there are many other potential uses. For instance, you can use group policy settings to block user access to some of the operating system's more sensitive areas, such as the Control Panel or the Command Prompt. You can also use group policies to prevent users from being able to use removable media, or to prevent users from running executable code from removable media. These are just a few potential uses; there are thousands of group policy settings that can establish granular control over the way that Windows 10 behaves.
There are a variety of best practices for using Group Policy settings with Windows 10 desktops.
1. Use local security policies
You should use local security policies in conjunction with Active Directory-level security policies that are applied at the site, organizational unit (OU) or domain level. These local policies will help to keep Windows 10 machines secure if Windows is unable to log into a domain.
2. Deploy desktops with a Windows 10 deployment image
Another Group Policy best practice is to create a Windows 10 deployment image and then use that image to deploy all future Windows 10 desktops. This will help to ensure that desktops are configured in a consistent manner, including the local security policy.
Configuration changes will inevitably occur over time, however. As such, you may want to invest in a third-party tool that can periodically scan for configuration drift. The Microsoft Security and Compliance Toolkit includes a tool called the Microsoft Policy Analyzer. You can use this tool to compare a desktop's local security policy against a baseline group policy. However, this is a manual process and the tool is not designed to examine desktops in bulk. Third-party tools are better suited for anything beyond the occasional one-off policy evaluation.
3. Create function-oriented group policies
Rather than creating a large monolithic group policy that controls all the operating system's settings, consider creating a series of smaller policies that focus on certain things. For example, you might create a group policy that controls browser settings and another group policy that controls AppLocker. Separating group policies by function slightly increases the amount of time that it takes users to log in, but it can greatly simplify the troubleshooting process.
4. Don't block policy inheritance or enforcement
You should never block policy inheritance or policy enforcement; doing so tends to make troubleshooting problems far more difficult.
5. Don't deploy contradictory settings
It's a common mistake to create contradictory settings at various levels of the Group Policy hierarchy. An administrator might, for instance, create domain level-policy that requires 8-character passwords, but then create an OU level-policy that requires 12-character passwords. When contradictions occur, Windows uses the group policy's level within the hierarchy to resolve the conflict. The Group Policy Management Console includes an interface that you can use to figure out where a particular policy setting was applied, but your life will be a lot easier if you can simply avoid creating contradictory settings.
6. Have a formalized change management plan
Finally, it's important to have a formalized change management plan for group policy settings. Otherwise, administrators may simply make changes as a matter of convenience, and those changes can have unforeseen consequences. Microsoft provides a tool called Advanced Group Policy Management that can help with Group Policy change control.