GPO Management Hub | maharjan.com.np

The Core GPO Structure

Every GPO is split into two halves. Understanding this separation is vital for troubleshooting "missing" policies.

Computer Configuration Applied at boot. Affects the OS and hardware.

User Configuration Applied at logon. Affects Desktop, Apps, and Environment.

LSDOU: The Order of Precedence

Policies are processed in a specific sequence. The last policy applied wins in the event of a conflict.

1. Local

2. Site

3. Domain

4. OU

// Example: Password Complexity Policy Path
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy

Custom GPO Implementation

To adjust custom policies for specific departments or locations (e.g., Kathmandu vs Pokhara), link GPOs to the appropriate Organizational Unit (OU) rather than the domain root.

// Deployment Logic for Custom Settings:
1. Create GPO in "Group Policy Objects" container.
2. Link GPO to target OU (e.g., OU=Sales,DC=maharjan,DC=com,DC=np).
3. Use "Security Filtering" to target specific Global Groups.

GPO Administration Checklist

✓

Modular GPOs: Create single-purpose GPOs (e.g., "Firewall Settings") instead of one massive "Global Policy."

✓

Disable Unused Settings: Right-click and "Disable Computer Configuration" if only User settings are used to speed up processing.

✓

Naming Convention: Use prefixes for visibility: SEC_ (Security), APP_ (Apps).

Security Hardening

Implement these "Must-Have" security GPOs to protect the maharjan.com.np forest from lateral movement and credential theft.

🛡️ Disable LLMNR & NetBIOS: Prevents NTLM relay attacks (Man-in-the-Middle).
🛡️ Restricted Groups: Ensure only authorized IT staff are in the "Local Administrators" group.
🛡️ UAC Hardening: Force "Prompt for credentials on the secure desktop."

Essential CLI Commands