Advertisement
We are trying to implement security hardening for over 3,000 client workstations across our Active Directory infrastructure by deploying a Group Policy Object (GPO) at the domain level within the computer configuration. In specific server Organizational Units (OUs), we plan to use overriding policies to disable this security hardening for Servers.<\/p>\n
I’m seeking advice on potential drawbacks or risks associated with this approach. Your insights on this matter would be greatly appreciated.<\/p>","upvoteCount":4,"answerCount":6,"datePublished":"2023-10-26T17:51:16.000Z","author":{"@type":"Person","name":"spiceuser-p5xos","url":"https://community.spiceworks.com/u/spiceuser-p5xos"},"suggestedAnswer":[{"@type":"Answer","text":"
We are trying to implement security hardening for over 3,000 client workstations across our Active Directory infrastructure by deploying a Group Policy Object (GPO) at the domain level within the computer configuration. In specific server Organizational Units (OUs), we plan to use overriding policies to disable this security hardening for Servers.<\/p>\n
I’m seeking advice on potential drawbacks or risks associated with this approach. Your insights on this matter would be greatly appreciated.<\/p>","upvoteCount":4,"datePublished":"2023-10-26T17:51:16.000Z","url":"https://community.spiceworks.com/t/applying-gpo-at-the-domain-level/961498/1","author":{"@type":"Person","name":"spiceuser-p5xos","url":"https://community.spiceworks.com/u/spiceuser-p5xos"}},{"@type":"Answer","text":"
I just set the ‘Block Inheritance’ check on the server OUs and create separate server policies.<\/p>","upvoteCount":1,"datePublished":"2023-10-26T18:22:06.000Z","url":"https://community.spiceworks.com/t/applying-gpo-at-the-domain-level/961498/2","author":{"@type":"Person","name":"tghowe","url":"https://community.spiceworks.com/u/tghowe"}},{"@type":"Answer","text":"
@tghowe<\/a> We are planning to enforce this workstation security hardening GPO policy, and it appears that blocking inheritance won’t work this context, given our current approach.<\/p>","upvoteCount":0,"datePublished":"2023-10-26T18:27:46.000Z","url":"https://community.spiceworks.com/t/applying-gpo-at-the-domain-level/961498/3","author":{"@type":"Person","name":"spiceuser-p5xos","url":"https://community.spiceworks.com/u/spiceuser-p5xos"}},{"@type":"Answer","text":" You can use Security filtering<\/a> and/or WMI filter<\/a> . You can also apply the GPO to workstation OUs only.<\/p>","upvoteCount":1,"datePublished":"2023-10-27T02:21:19.000Z","url":"https://community.spiceworks.com/t/applying-gpo-at-the-domain-level/961498/4","author":{"@type":"Person","name":"pkrupicka","url":"https://community.spiceworks.com/u/pkrupicka"}},{"@type":"Answer","text":" Applying at the top level has risks - it will try to apply to all computers unless a block is in place, and if that fails it will apply.<\/p>\n Good practice would be to apply at the top level of one or more OUs that require the settings. Applying policies that filter out also causes start-up/logon delays as the policy has to be processed.<\/p>","upvoteCount":0,"datePublished":"2023-10-27T09:15:25.000Z","url":"https://community.spiceworks.com/t/applying-gpo-at-the-domain-level/961498/5","author":{"@type":"Person","name":"matt7863","url":"https://community.spiceworks.com/u/matt7863"}},{"@type":"Answer","text":" WMI Filtering was going to be my next response and is easy to apply.<\/p>","upvoteCount":0,"datePublished":"2023-10-27T13:28:13.000Z","url":"https://community.spiceworks.com/t/applying-gpo-at-the-domain-level/961498/6","author":{"@type":"Person","name":"tghowe","url":"https://community.spiceworks.com/u/tghowe"}}]}}