Microsoft's Group Policy infrastructure allows IT administrators to use Active Directory to specify configurations for computers, and it can be used to set policies for users, applications and networking at the machine level. Group Policy Objects and Group Policy settings are important for maintaining security at both the desktop and server levels, but you should know their limits.
Why use Group Policy to restrict access to the Control Panel?
In addition to the User Account Control feature in the Control Panel, IT admins should know how to lock down the Control Panel with Group Policy. This can help prevent users from making unauthorized changes to their machines. Group Policy is also useful for protecting Outlook 2010, regulating local admin groups and managing Active Directory.
How can I use Group Policy settings to manage desktops?
While much of IT's focus is on securing enterprise networks, don't forget to monitor endpoints such as desktops and mobile devices. For example, you can use Group Policy to automate BitLocker To Go, which is a whole-disk encryption program built into Windows. BitLocker requires users to enter a password to get access to files on removable drives such as USB memory sticks.
To properly manage desktops, it's best to perform a desktop audit to find out what IT assets the organization has. Note that Group Policy Objects and Group Policy settings vary among versions of Windows. Group Policy can restrict the use of desktop gadgets and provide security settings for Internet Explorer 8.
Are Group Policy settings also useful for virtual desktops?
The Group Policy Object Editor allows IT pros to modify configuration and security settings for Microsoft Office, which can only be done otherwise by editing the registry. You just need to learn to use the Office Customization Tool for client deployments and the administrative templates for Office 2010 in virtual desktop infrastructure.
Group Policy Objects, for example, enable admins to restrict virtual desktops through redirection of folders and even the start menu. In addition, there are ways for admins to use Group Policy to secure network endpoints, but not every mobile device is compatible.
How has Group Policy security changed with Windows Server?
Note that Group Policies for Windows Server 2008 should be backed up. Both Active Directory and Group Policy objects are valuable tools for securing Windows Server 2008 R2 installations.
In addition to the numerous Group Policy settings in the beta of Windows Server 2012 (formerly called the Windows Server 8 beta) are improvements in how the Group Policy Management Console distributes updates, how reports are provided about the Active Directory network and how to manage the Setting Sync feature. There are also Group Policy Objects specifically intended for Windows 8 and its Metro interface.
This was first published in May 2012