Group Policy normally applies in a clean two-track way: Computer Configuration follows the computer wherever it goes, User Configuration follows the user wherever they sign in. That clean separation breaks…
Group Policy is the centralised configuration system that drives every domain-joined Windows endpoint — security baselines, drive maps, software restrictions, audit settings, the lot. The mechanics are well-documented; the design…
The Australian Cyber Security Centre’s “Hardening Microsoft Windows 10 and Windows 11 Workstations” publication (last updated July 2024) is one of the more comprehensive endpoint-hardening references the security community has.…
A full walkthrough of configuring Folder Redirection via Group Policy in Windows Server 2022 — OU and group setup, hidden SMB share, NTFS permissions, GPO security filtering with delegated Read for Authenticated Users, and a Windows 10 client test — plus a deep dive on why Folder Redirection still needs Authenticated Users to have Read on the GPO.
Account Lockout Policy converts a brute-force password attack from 'eventually wins' into 'locks the account and stops'. Three knobs configured at the domain level via Default Domain Policy: lockout threshold (failed attempts before lock - default 0 = no protection, recommended 5), reset counter (minutes before failed-attempt counter resets - default 30), and lockout duration (minutes account stays locked - 0 = manual unlock only). Walks the full setup in Server 2022 GPMC + Windows 10 client: edit Default Domain Policy, set the three values, disable Administrator account lockout (recommended - protects break-glass), gpupdate /force, deliberately lock a test user (5 wrong passwords), then unlock via ADUC Account tab or Unlock-ADAccount PowerShell. Includes the domain-scope constraint (must live in Default Domain Policy, not OU-linked - this is one of the rare exceptions to the don't-edit-defaults rule), the SIEM event-ID reference (4625/4740/4767), and pointers to Fine-Grained Password Policy for per-user/per-OU differentiation.
Default Windows 10/11 PowerShell policy is Restricted - .ps1 files are blocked, only interactive commands run. The right way to change that fleet-wide is one GPO at Computer Configuration / Administrative Templates / Windows Components / Windows PowerShell / Turn on Script Execution. Walks the round trip end to end on Windows Server 2022 + a Win10 client: verify the default Restricted state, create the GPO and set RemoteSigned (Allow local scripts and remote signed scripts), link to a pilot Test Computers OU, gpupdate /force + reboot on the client, confirm Get-ExecutionPolicy now reports RemoteSigned, then flip the GPO to Disabled to demonstrate rollback (returns to Restricted). Includes the five execution policies (Restricted / AllSigned / RemoteSigned / Unrestricted / Bypass), Get-ExecutionPolicy -List interpretation (MachinePolicy beats everything when the GPO is in effect), and the six common pitfalls (computer-vs-user OU link, missed reboot, Unrestricted-as-default, Not-Configured-vs-Disabled rollback semantics, mixed user+computer policies, and the powershell.exe -ExecutionPolicy Bypass admin-bypass that means execution policy is a safety not a security boundary - pair with AppLocker or WDAC for real restriction).
A roaming profile follows the user across machines - sign into PC-A, then PC-B, and the same desktop, files, and app settings appear. Five-step setup on Windows Server 2022: AD security group (Roaming Profiles Users), hidden SMB share (profiles$ with access-based enumeration and a custom ACL granting only Create-Folders to the security group on This folder only), user profile path attribute set to \\\\\\profiles$\\%username%, GPO 'Add the Administrators security group to roaming user profiles' linked to the client OU (must be in place BEFORE first roaming logon - not retroactive), then verify on a Windows 10/11 client (gpupdate, sign in, drop a Test folder on the desktop, sign out / in, browse the share, confirm sysdm.cpl reports profile Type: Roaming). Includes the .V6 profile-version suffix explainer (different OSes get separate folders), the logon/logoff lifecycle, and the seven common pitfalls (path-before-share trap, forgotten Admins GPO, caching-on-the-share, mixed-OS .V6 collisions, profile bloat without limits).
Active Directory does not audit security-relevant events out of the box. The legacy 9-category basic audit policy is high-volume and low-resolution; the right tool for granular AD audit is Advanced Audit Policy Configuration with its ~60 subcategories. Walks the full pipeline: create a dedicated GPO, enable two representative subcategories (DS Access -> Audit Directory Service Changes, Object Access -> Audit File System) with Success+Failure, link the GPO to the Domain Controllers OU, force gpupdate, then verify by creating a Test GPO and confirming Event ID 5137 fires on the DC's security log with the matching GUID. Includes a reference table of useful event IDs (4624/4625 logon, 4720/4726/4738 account, 5136-5141 directory service, 4663 file system), the SCENoApplyLegacyAuditPolicy basic-vs-advanced split, the SACLs-required-for-File-System gotcha, the default-16MB-security-log gotcha, and pointers to Windows Event Forwarding and SIEM ingestion for handling volume.
The conceptual reference for Group Policy: what GPOs actually are, the difference between local and domain GPOs, the two built-in defaults (Default Domain Policy and Default Domain Controllers Policy) and why you should not modify them for general settings, the Computer-Configuration vs User-Configuration split, what GPOs can and cannot be linked to (sites/domains/OUs yes; individual user/computer accounts no), administrative templates (ADMX = engine, ADML = dashboard labels), GPO scope (link + Security Filtering + WMI Filtering + Item-Level Targeting for Preferences), and the LSDOU processing order with last-write semantics. Walks inheritance / Block Inheritance / Enforced precedence (Enforced beats Block), the GUI tools (gpmc.msc, gpedit.msc) and CLI tools (gpupdate, gpresult, LGPO.exe, the GroupPolicy PowerShell module), every GPO attribute (Name, GUID, Links, Security Filtering, WMI Filtering, Version Number, Enabled/Disabled state), and the Azure AD DS differences (no site links, no software deployment, predefined OUs, AAD DC Administrators group). Includes seven best practices and cross-links to the practical articles in the pathway.
GPOs can be deleted in two clicks; AD replicates the deletion to every DC, SYSVOL files vanish, and clients drop the policy at next refresh. AD Recycle Bin restores the container in AD but not the SYSVOL GPT files where the actual policy settings live - so per-GPO backup is its own discipline. Walks the full GPMC lifecycle: Back Up All... for a fleet snapshot, Back Up... for one GPO before a risky edit, Manage Backups... for preview-then-restore (View Settings opens an HTML report, Restore overwrites the live GPO), and the manual re-link step that the backup does NOT capture. Plus the PowerShell-only equivalent (Backup-GPO -All / Restore-GPO -Name) for scheduled / scripted use. Includes the four pitfalls (no description = uninformative Manage Backups list, backup-on-the-DC-fails-with-the-DC trap, untested-backup wishful thinking, View-Settings-first habit) and the link-map documentation gotcha.
Remove-AppxPackage disappears the next time provisioning runs the OS image; the right tool for keeping consumer UWP apps (Microsoft Store, Xbox, Solitaire, Mixed Reality Portal) off business endpoints is AppLocker Packaged app Rules pushed by Group Policy. Walks the full GPO end-to-end: create + link a new GPO at the OU/domain root, configure the Application Identity service to start automatically (AppLocker's hard dependency), import a 132-rule AppLocker baseline XML, scope the rules with either publisher exceptions on broad Allow rules or explicit per-package Deny rules, switch enforcement mode from Audit-only to Enforce rules, gpupdate, verify on a domain-joined client (Application Identity running, Microsoft Store / Xbox / Solitaire all hit 'This app has been blocked by your system administrator'). Includes the SKU gotcha (AppLocker only enforces on Enterprise / Education, not Pro / Home), the audit-only safety net, the AppLocker event-log IDs (8020 = blocked, 8021 = would-be-blocked) for reporting, and the local-admin-bypass test trap.
The classic 'net use' line in a logon script stalled the desktop, did not scale to multiple departments, and was painful to clean up when someone changed teams. Group Policy Preferences Drive Maps + item-level targeting replaces all of it: declarative, parallel, and scoped to AD group membership. This article walks the full workflow - create the security group in dsa.msc, share the folder with matching share + NTFS ACLs, create and link a GPO to the user OU, add a Drive Maps preference (Action: Create, Reconnect: yes, Drive Letter: S, Label as: Sales Group), then move the membership check off the OU link and onto the preference itself via Common - Item-level targeting - Security Group - User in group. Verifies with gpresult and Get-PSDrive on a domain-joined client. Includes the common pitfalls (linking to the computer OU, skipping share permissions, picking a domain-local group, forgetting the User-in-group vs Computer-in-group choice).
