The Group Policy Editor is a Windows administration tool that allows users to configure many important settings on their computers or networks. Administrators can configure password requirements, startup programs, and define what applications or settings users can change.
These settings are called Group Policy Objects (GPOs). Attackers use GPO’s to turn off Windows Defender. System Administrators use GPOs to deal with locked out users.
This blog will deal with the Windows 10 version of Group Policy Editor (also known as gpedit), but you can find it in Windows 7, 8, and Windows Server 2003 and later.
This piece will cover how to open and use Group Policy Editor, some important security settings in GPOs, and some alternatives to gpedit.
How To Access Group Policy Editor Windows 10: 5 Options
There are several ways to open Group Policy Editor. Choose your favorite!
Option 1: Open Local Group Policy Editor in Run
- Open Search in the Toolbar and type Run, or select Run from your Start Menu.
- Type ‘gpedit.msc’ in the Run command and click OK.
Option 2: Open Local Group Policy Editor in Search
- Open Search on the Toolbar
- Type ‘gpedit’ and click ‘Edit Group Policy.’
Option 3: Open Local Group Policy Editor in Command Prompt
- From the Command Prompt, type ‘gpedit.msc’ and hit ‘Enter.’
Option 4: Open Local Group Policy Editor in PowerShell
- In PowerShell, type ‘gpedit’ and then ‘Enter.’
- If you would prefer, you can also use PowerShell to make changes to Local GPOs without the UI.
Option 5: Open Local Group Policy Editor in Start Menu Control Panel
- Open the Control Panel on the Start Menu.
- Click the Windows icon on the Toolbar, and then click the widget icon for Settings.
- Start typing ‘group policy’ or ‘gpedit’ and click the ‘Edit Group Policy’ option.
What Can You Do With Group Policy Editor
A better question would be, what can’t you do with Group Policy Editor! You can do anything from set a desktop wallpaper to disable services and remove Explorer from the default start menu. Group policies control what version of network protocols are available and enforce password rules. A corporate IT security team benefits significantly by setting up and maintaining a strict Group Policy. Here are a few examples of good IT security group policies:
- Limit the applications users can install or access on their managed corporate devices.
- Disable removable devices like USB drives or DVD drives.
- Disable network protocols like TLS 1.0 to enforce usage of more secure protocols.
- Limit the settings a user can change with the Control Panel. For example, let them change screen resolution but not the VPN settings.
- Specify an excellent company-sanctioned wallpaper, and turn off the user’s ability to change it.
- Keep users from accessing gpedit to change any of the above settings.
Those are just a few examples of how an IT security team could use Group Policies. If the goal is a more secure and hardened environment for your organization, use group policies to enforce good security habits.
Components of the Group Policy Editor
The Group Policy Editor window is a list view on the left and a contextual view on the right. When you click an item on the left side, it changes the focus of the right to show you details about that thing you clicked.
The top-level nodes on the left are “Computer Configuration” and “User Configuration.” If you open the tree for Computer Configuration, you can explore the options you have to manage different system behavior aspects.
For example, under Computer Configuration -> Administrative Templates -> Control Panel -> Personalization, you will see things like “Do not display the lock screen” on the right side.
You can edit the setting by double-clicking.
There are hundreds of different settings like this in Group Policy Editor. Click around or view the Microsoft documentation for a list of all of them.
Local Group Policy Editor Components
- Computer Configuration: These policies apply to the local computer, and do not change per user.
- User Configuration: These policies apply to users on the local machine, and will apply to any new users in the future, on this local computer.
- Those two main categories are further broken down into sub-categories:
- Software Settings: Software settings contain software specific group policies: this setting is empty by default.
Stop tweaking GPOs and take control of AD with Varonis.
How to Configure a Security Policy Setting Using the Local Group Policy Editor Console
Once you have an idea of what you GPOs you want to set, using Group Policy Editor to make the changes is pretty simple.
Let’s look at a quick password setting we can change:
- In gpedit, click Windows Settings, then Account Settings, then Password Policy.
- Select the option for “Password must meet complexity requirements.”
- Click “Enabled” and then “Apply,” and your change happens on this local computer. Applying changes to GPOs at the enterprise level is out of the scope of this blog.
How to use PowerShell to Administer Group Policies
Many sysadmins are moving to PowerShell instead of the UI to manage group policies. Here are a few of the PowerShell GroupPolicy cmdlets to get you started.
- New-GPO: This cmdlet creates a new unassigned GPO. You can pass a name, owner, domain, and more parameters to the new GPO.
- Get-GPOReport: This cmdlet returns all or the specified GPO(s) that exist in a domain in an XML or HTML file. Very useful for troubleshooting and documentation.
- Get-GPResultantSetOfPolicy: This cmdlet returns the entire Resultant Set of Policy (RsoP) for a user or computer or both and creates an XML file with the results. This is a great cmdlet to research issues with GPOs. You might think that a policy is set to a certain value, but that policy could be overwritten by another GPO, and the only way to figure that out is to know the actual values applied to a user or computer.
- Invoke-GPUpdate: This cmdlet allows you to refresh the GPOs on a computer, it’s the same as running gpupdate.exe. You can schedule the update to happen at a certain time on a remote computer with the cmdlet, which also means you can write a script to push out many refreshes if the need arises.
Limitations of Group Policy Editor
The gpedit application is very simplistic for a tool that is supposed to help secure your entire enterprise. GPO updates occur at some time interval on computers throughout the network differently or on a reboot. Therefore, the time between your changes and all computers on the network receiving this change is unknown.
Attackers can change local group policies using the same gpedit, or PowerShell, which can undo any protections you have enabled on that system.
Several companies provide alternative group policy editing tools, and you can learn how to make all the changes with PowerShell to make your job simpler. However, gpedit does not have any native auditing built-in, so you need to have a rock-solid change management plan and audit all GPO changes independently to ensure your enterprise remains secure.
It’s crucial to monitor Active Directory for any changes made to Group Policy – often, these changes are the first signals in APT attacks, where hackers intend to be in your network for a while, and they want to remain hidden. Varonis detects threats by monitoring and correlating current activity against normalized behavior and advanced data security threat models to detect APT attacks, malware infections, brute-force attacks, including attempts to change GPOs.
Check out this PowerShell course by Adam Bertram, where he teaches you how to use PowerShell to manage Active Directory. Once you learn the basics, you can start managing GPOs with PowerShell, and it’s worth 3 CPE credits!
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.