Skip to main content

Introduction to Group Policy

Author(s): a_person

Last Updated: 07-03-2025

Recommended Prerequisites (click to expand)

None

What is it?

Group Policy is a feature in Microsoft Windows that allows administrators to manage settings for users and computers. It provides centralized configuration and enforcement of operating systems, applications, and user settings. It's used in either networks or locally.

Concepts

  • Where Group Policy settings are stored:
    • Registry Keys: The actual policy settings are written to these protected registry locations, overriding standard user or application settings.
      • HKEY_LOCAL_MACHINE\Software\Policies (for computer settings)
      • HKEY_CURRENT_USER\Software\Policies (for user settings)
      • (And the corresponding ...\Microsoft\Windows\CurrentVersion\Policies locations)
    • File System: The %SystemRoot%\System32\GroupPolicy\ directory stores the files that make up a GPO, including administrative templates and script files.

Group Policy vs Registry

They are both used to configure settings, but Registry is basically an unc. Here are the main differences:

  • Each registry is local to its respective machine, while Group Policies can be applied to multiple computers
  • Group policy is more persistent as group policies apply during startup.
  • Group Policy is much easier to use as it gives setting names and explanations.

How do I change Group Policies

  • gpedit.msc
    • Locally. You can edit them just by selecting the policies you want to set.
  • gpmc.msc - For groups.
    • For groups. You can edit them by selecting them on the sidebar.

Local Security Policy

secpol.msc is a specific section of the local group policy(Computer Configuration > Windows Settings > Security Settings). Any change you make in secpol.msc is actually being made within the Local Group Policy (gpedit.msc) and can be viewed there.

Main Settings Configured in secpol.msc:

  • Account Policies - This is where you configure password requirements (length, complexity, history) and account lockout policies (e.g., lock an account after 5 bad password attempts).
  • Audit Policy - Determines which security-related events are logged in the Windows Security Event Log. For example, you can audit successful or failed logon attempts.
  • User Rights Assignment - Controls the specific rights and privileges that users and groups have on the local machine, such as "Shut down the system" or "Back up files and directories."
  • Security Options - A large collection of miscellaneous security settings, such as "Interactive logon: Do not display last user name" or policies related to User Account Control (UAC).

Tools for automation and compliance

  • LGPO - Allows you to import and export GPOs
  • Hardening Kitty - Similar to lgpo, and has diverse modes which can allow you to see the most critical policies that are set incorrectly. It also contains some premade baselines.
  • SCC - Developed by the Department of Defense. SCC has Security Content Automation Protocol (SCAP) content and tools to help with security compliance and automation.

Premade baselines

  • CIS Benchmarks - Baselines made by the Center for Internet Security. It provides two levels of baselining and is widely used.
  • DoD Stigs - Security baselines created by the Department of Defense. These guides are used to harden military networks and systems.

Practice

ALL images except for images like the persistence image contain Group Policy points:
images.cypat.guide

References, Further Reading, & Tools Mentioned