The Group Policy Editor is a Windows administration tool that allows users to configure many important settings on their computers or networks. Administrators can configure password requirements, startup programs, and define what applications or settings other users can change on their own. This blog will deal mostly with the Windows 10 version of Group Policy Editor (gpedit), but you can find it in Windows 7, 8, and Windows Server 2003 and later.
5 Ways to Access Local Group Policy Editor
There are plenty of different ways to get to the Local Group Policy Editor. You can find one that you are most comfortable with.
Get the Free Pen Testing Active Directory Environments EBook
Open Local Group Policy Editor in Run
- Open Search in the Toolbar and type Run, or select Run from your Start Menu.
- Type ‘gpedit.msc’ in the Run command and click OK.
Open Local Group Policy Editor in Search
- Open Search on the Toolbar
- Type ‘gpedit’ and click ‘Edit Group Policy.’
Open Local Group Policy Editor in Command Prompt
- From the Command Prompt, type ‘gpedit.msc’ and hit ‘Enter.’
Open Local Group Policy Editor in PowerShell
- In PowerShell, type ‘gpedit’ and then ‘Enter.’
If you would prefer you can also use PowerShell to make changes to Local GPOs without the UI.
Open Local Group Policy Editor in Start Menu Control Panel
- Open the Control Panel on the Start Menu.
- Click the Windows icon on the Toolbar, and then click the widget icon for Settings.
- Start typing ‘group policy’ or ‘gpedit’ and click the option to ‘Edit Group Policy.
Components of the Local Group Policy Editor
Now that you have gpedit up and running, there are a few important details to know about before you start making changes. Group policies are hierarchical, meaning that a higher-level group policy – like a domain level Group Policy – can override local policies.
Group policies are processed in the same order for each login – Local policies first, then Site level, then Domain, then Organizational Unit (OU). OU policies will override all others, and so on down the chain.
There are two major categories of group policies – Computer and User – that are in the left pane of the gpedit window.
Computer Configuration: These policies apply to the local computer, and do not change per user.
User Configuration: These policies apply to users on the local machine, and will apply to any new users in the future, on this local computer.
Those two main categories are further broken down into sub-categories:
Software Settings: Software settings contain software specific group policies: this setting is empty by default.
Window Settings: Windows settings contain local security settings. You can also set login or administrative scripts to execute changes in this category.
Administrative Templates: Administrative templates can control how the local computer behaves in many ways. These policies can change how the Control Panel looks, what printers are accessible, what options are available in the start menu, and much more.
What Can You Do With Group Policy Editor
A better question would be what can’t you do with gpedit! You can do anything from set a desktop wallpaper to disable services and remove Explorer from the default start menu. Group policies control what version of network protocols are available and enforce password rules. A corporate IT security team benefits greatly by setting up and maintaining a strict Group Policy. Here are a few examples of good IT security group policies:
- Disable removable devices like USB drives.
- Disable TLS 1.0 to enforce usage of more secure protocols.
- Limit the settings a user can change using Control Panel. Let them change screen resolution, but not the VPN settings.
- Specify a good company sanctioned wallpaper, and turn off the user’s ability to change it.
- Keep users from accessing gpedit to change any of the above settings.
That is just a few examples of how an IT security team could use Group Policies. If the IT team sets those policies at the OU or domain level, the users will not be able to change them without administrator approval them.
How to Configure a Security Policy Setting Using the Local Group Policy Editor Console
Once you have an idea of what you GPOs you want to set, using gpedit to make the changes is pretty simple.
Let’s look at a quick password setting we can change:
1. In gpedit, click Windows Settings, then Account Settings, then Password Policy.2. Select the option for “Password must meet complexity requirements.”3. If you have Administrative rights to change this setting, you could click the button next to “Enable” and then click Apply. (ed. Varonis has a very solid IT security policy, because of course)
How to use PowerShell to Administer Group Policies
Many sysadmins are moving to PowerShell instead of the UI to manage group policies. Here are a few of the PowerShell grouppolicy cmdlets to get you started.
- New-GPO: This cmdlet creates a new unassigned GPO. You can pass a name, owner, domain, and more parameters to the new GPO.
- Get-GPOReport: This cmdlet returns all or the specified GPO(s) that exist in a domain in an XML or HTML file. Very useful for troubleshooting and documentation.
- Get-GPResultantSetOfPolicy: This cmdlet returns the entire Resultant Set of Policy (RsoP) for a user or computer or both and creates an XML file with the results. This is a great cmdlet to research issues with GPOs. You might think that a policy is set to a certain value, but that policy could be overwritten by another GPO, and the only way to figure that out is to know the actual values applied to a user or computer.
- Invoke-GPUpdate: This cmdlet allows you to refresh the GPOs on a computer, it’s the same as running gpupdate.exe. You can schedule the update to happen at a certain time on a remote computer with the cmdlet, which also means you can write a script to push out many refreshes if the need arises.
There are many more cmdlets in the ‘grouppolicy’ PowerShell object, but these four are especially useful to track down and resolve inheritance issues with GPOs.
PowerShell is one of a hacker’s favorite tools, and one of their favorite tricks is to enable the local administrator account that you have carefully disabled to gain control of a system for more infiltration or privilege escalation work.
It’s important to monitor Active Directory for any changes made to Group Policy – often these changes are the first signals in APT attacks, where hackers intend to be in your network for a while, and they want to remain hidden. Varonis monitors and correlates current activity against normalized behavior and advanced data security threat models to detect APT attacks, malware infections, brute-force attacks, including attempts to change GPOs.
Check out this PowerShell course by Adam Bertram for more PowerShell tips and tricks! It’s worth 3 CPE credits!