Server management GPOs

  • 139 Views
  • Last Post 21 January 2016
Llara posted this 21 January 2016

In a better effort to standardize our server environment, I’d like to know on things that we can include in the existing server policy to keep things consistent across the board.
 Some of these GPOs that we have in place are:

  1. Windows Firewall Management
  2. Prevent login scripts from running on server OS
  3. Set Time Zone to EST
  4. Disable IPv6
  5. Set DNS/WINS/DNS suffix
  6. Set SCOM service to Automatic (ensures services manually set to disable are corrected on next reboot)
  7. Set SCCM service to Automatic (ensures services manually set to disable are corrected on next reboot)
  8. LAPS - Local Admin password Management 
Any thoughts on additional items to add? Either by image or GPO? Maybe Event logs? RDP access, Remote Management? 
What do you guys as standard management in your servers via GPO? 
Thank you  

Order By: Standard | Newest | Votes
robertsingers posted this 21 January 2016

Automate your authoritative time source

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

show

patrickg posted this 21 January 2016

Some additional settings commonly handled

 

·        

RDP Restrictions – ie printer/plug&play/clipboard/ect

·        

Event log sizes and rollover policies

·        

Logon/Logoff attempts

·        

Disabling weak SSL ciphers

·        

Blocking accounts which should only run scheduled tasks from logging in interactively

·        

Blocking accounts which should be used interactively from running scheduled tasks

·        

Windows Update behaviors

 

For larger orgs some additional layers based upon the assumption of per-OU policies

 

·        

Automated patching/reboot schedule

·        

Allowing/Denying RDP access

 

I’m sure there are lot of other ones out there that people have used in the past.

 

If your systems are running 2012r2, you can also look into DSC to augment what you can or can’t do with GPO’s.

 


~Patrick

 

show

Close