Eight Windows 11 Group Policy Best Practices for Admins

By Lloyd Ingram

Eight Windows 11 Group Policy Best Practices for Admins

Export the entire Policy list elsewhere before committing to any changes to enable a quick rollback.

The Group Policy Editor for Windows 11 works similarly to its previous versions in Windows 10 or Windows 7. If you're a system admin, it will allow you to set up "hot desks" shared by multiple organization members, which is practically a given in educational settings and large offices. However, if you don't follow some basic group policy best practices, you can make the process needlessly complex for both yourself and the users.

The active directory in the Group Policy Editor typically contains two default files: the Default Domain Policy and the Default Domain Controller Policy, with the second located in its dedicated folder.

The first file should only be used to set the Password Policy, the Domain Account Lockout Policy, and the Domain Kerberos Policy. The second sets the User Rights Assignment Policy and the Audit Policy.

The Default Domain Policy file is found in the "root" domain of the level, which means that it applies to all users of the computer and the network, including the administrator. If you make a new policy at that level that contradicts the default, you risk creating account-wide lockouts, even to your system.

If you do need to create a level above the user, implement a department or network-based structure to separate various policy requirements.

If your users only need to access the basic configurations and settings to work on the device, you can disable all others. This can slightly improve processing time.

You can implement this by going to the Group Policy Objects in the Group Policy Management console, then right-clicking and expanding GPO Status for a policy you want to modify. Choose between User Configuration Settings Disabled or Computer Configuration Settings Disabled.

If you plan to let your users access only the applications already installed on the computer, then it makes sense to disable installing new software. It can prevent users from potentially downloading malware or using third-party software that conflicts with your settings.

This is done by navigating to the Windows Installer settings, as that's the program that allows setups. Here's the default path: Group Policy > Navigate to Computer Configurations > Administrative Templates > Windows Components > Windows Installer.

After that, choose "Turn off Windows Installer," then set the radio buttons to the "Enable" option and "For non-managed applications only" in the "Options" panel.

In most cases, however, preventing a computer from installing other software can be a bit of an overkill, especially if your users need some specific programs.

This is done via the System options in the group policy (Group Policy > User Configuration > Administrative Templates > System). Use the "Don't run specified Windows applications" option.

In the dialog box, you need to set the "List of disallowed applications" via the "Show" button. Make sure to enter the application names correctly in the list.

The control panel can sometimes interfere with user limitations you've implemented in the Group Policy settings. To restrict users to what parts of the Panel they can access, go to the Control Panel settings in the application (Group Policy > User Configuration > Administrative Templates > Control Panel). Then, select "Show only specified Control Panel items" and enter a list of allowed items via the "Show" button in the bottom left panel.

You can use Microsoft's official Control Panel item list to get the exact names of the items and options you want to enable.

The command prompt can allow the user to bypass most restrictions you put in place. Therefore, removing the option can improve your private file security. The option is contained within the System settings (Group Policy > User Configuration > Administrative Templates > System). Configure the "Prevent access to the command prompt," set it to enabled, and apply the changes.

If you plan to have users share a single device, hiding the computer's system partition can prevent dangerous editing and tinkering. This will ensure that users only have access to the files and apps they're supposed to.

The setting is implemented through the Windows Explorer options (Group Policy > User Configuration > Administrative Templates > Windows Components > Windows Explorer). Go to "Hiding these specified drives on My Computer" and select the drive you'd like to hide in the app's panel.

Previous articleNext article

POPULAR CATEGORY

industry

7457

fun

9591

health

7546

sports

9899