Local Policy / Group Policy

ernest-libiran · 2015-07-29T08:16:46.000Z

Hi Spiceheads,

I have a question regarding local policy and group policy.

I received a workstation hardening procedure but I need to apply this settings for 300 computers can I use group policy instead of local policy? if yes how and what option I need to select Computer Configuration or User Configuration?

All 300 computers are connected to the same Domain.

Thank you.

inkmaster · 2015-07-29T08:27:42.000Z

Local policy applies only to the specific local computer you are editing the policy on. Group policies from a domain will override local policy settings.

You want to use Group Policy Management on a domain controller and change the Computer Configuration as desired. The Group Policy will then update the computers at random intervals. You can force the Group Policy update on a local computer by running gpupdate /force from a command prompt.

cyberdec · 2015-07-29T09:32:26.000Z

Generally Group Policies can be used to apply anything to any domain enrolled computer.

If it is a computer thing you are trying to do then you would use the computer configuration of a GPO attached to the OU in AD that contains all the computers you want to effect.

Of course subtree capabilities exist so if you have multiple OUs for machines then you can apply the policy to the parent of these.

It depends on the action you require as to exactly how you do it but anything can be done.

bsod · 2015-07-29T10:20:06.000Z

With 300 machines you are going to have to use GPO and not local policies. The scope is just way too large for going to each machine and doing the config

As for where and when to use Computer vs User GPO’s, that’s totally up to you

You should read the below:

Computer Configuration in Group Policy

User Configuration in Group Policy

What policies to apply will be in the scope of the desktop hardening so you will have to do your searches on that. Typically hardening would include security settings or some sort which will include password complexity, length and expiration right down to stopping the installation of executables on a machine.

These policies will be different in each environment so you will have to do some homework about what GPO’s need to be applied

max · 2015-07-30T04:00:48.000Z

Machine specific - Computer Configuration

User Specific - User Configuration