- Group Policy – A Windows feature that allows Active Directory admins to implement specific configurations for users and computers.
- Group Policy Object (GPO) – A collection of settings that control how a computer or user behaves.
- Local Group Policy – The set of Group Policy Objects applied to standalone and non-domain computers.
Computer Policies – Apply to all users of a computer.
User Policies – Apply to specific user accounts. A computer can have multiple user policies.
LSDOU Processing Order (Group Policy application order):
- Local Group Policy
- Site Group Policy
- Domain Group Policy
- Organizational Unit (OU) Group Policy
Local Administrator Password Solution (LAPS) – A Windows feature that automatically manages and securely stores the local administrator password on Azure AD–joined or Windows Server Active Directory–joined devices.
Account Lockout and Password Policies – Policies within a GPO that control password complexity, expiration, and account lockout thresholds for the entire domain.
- Disable the built-in Administrator account.
- Rename default Administrator and Guest accounts.
- Limit the use of blank passwords (allow only for local console login).
- Restrict removable media usage:
- Format and eject removable drives
- Access to optical discs
- Installing printer drivers
- Log on before undocking laptops
Interactive Logon Settings:
- Password reset reminders
- Legal or informational logon message
- Hide user’s last name or login details
- Hide user information on the lock screen
- Require CTRL+ALT+DEL before login
Policies within a GPO that control the recording of system events and security-related changes.
Audit categories include:
- Account logon events
- Logon/logoff events
- Account management
- Object access
- Policy changes
- System events
- Access Token – A temporary token containing user rights and permissions, created when a user logs on.
- Secure Desktop – A security feature that isolates prompts (like UAC) from other applications to prevent tampering.
- Always Notify – Prompt for all changes, apps and user actions.
- Notify Me – Prompt when apps try to make changes.
- Notify Me (Do Not Dim Desktop) – Same as above, but without switching to secure desktop.
- Never Notify – UAC disabled; no prompts displayed.