Skip to main content

Favorite Group Policies

Last Updated: April 23, 2015

Common Security Hardening Policies

PathPolicySetting
Local Policies -> Security OptionsAccounts: Guest account statusDisabled
Local Policies -> Security OptionsNetwork access: Allow anonymous SID/Name translationDisabled
Local Policies -> Security OptionsNetwork security: Do not store LAN Manager hash value on next password changeEnabled
Local Policies -> Security OptionsNetwork security: Force logoff when logon hours expireDisabled
Local Policies -> Security OptionsAccounts: Block Microsoft accountsUsers can't add Microsoft accounts
Network -> WLAN Service -> WLAN SettingsAllow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid servicesDisable
Windows Components -> Application CompatibilityTurn off Application TelemetryEnabled
Windows Components -> Data Collection and Preview BuildsAllow Telemetry1 - Basic
Windows Components -> Delivery OptimizationDownload ModeLAN

Disallow programs from running in AppData

This is recommended as a measure to protect against some viruses.

Under Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules

New Path Rule

disallow-appdata

Enabling Verbose Login Messages

Instead of seeing "Please Wait" or "Loading Windows", it tells you what it's doing.

Under Computer Configuration > Policies > Administrative Templates > System Display highly detailed status messages - Set this to Enabled

Delete Printers

Send to OneNote 2013, Microsoft XPS Document Writer, Fax are rarely use so I deleted them.

Under User Configuration > Preferences > Control Panel Settings > Printers > New Local Printer

delete-printers

Setting up custom Administrative Templates

This can be used for Chrome, Office 2013, Startisback, and more...

You must create the admx central store. Put these files in

\\domain\SYSVOL\domain\Policies\PolicyDefinitions

Office 2013 Templates

Chrome

Windows 8.1/Server 2012 R2

Startisback

You should be able to see them under Administrative Templates now.