Group Policy Blog

Elevating AD Domain Access With Write Access on the Domain NC Head

With this post and my last post, I guess I’m on a path of finding interesting ways to “break” AD. The last post related to AD denial of service and this one relates to an interesting way to get to privileged access on AD by gaining what would seem to be completely unrelated access on […]

A New, Old Threat: Dealing with AD and Group Policy Information Exposure

Delegation–A Blessing or a Curse? I’ve been wanting to sit down and write this blog post about AD information exposure for a couple of weeks now, and am finally finding the time to do so. For those of you who follow my blog, you know that I posted nearly a year ago after a visit […]

Answering the Boss’s Question–“Can You Prove to Me That Critical Security Setting is on Every Machine?”

With RSA Conference going on this week here in San Francisco, I thought it was timely to talk about Group Policy’s role in securing your Windows environment. Many of you are undoubtedly using Group Policy to deliver security settings, based on industry-standard benchmarks from organizations like CIS or government standards like DISA-STIG. And through that process, how […]

Spiceworld 2015 – Austin, TX!

Hi everyone! I hope you are well and you all had a great summer. I have to admit I’m torn, not quite enough Summer for me (or my kids) but I’m extremely excited to get back into a rhythm and get cranking on some great work this year. We have an amazing year planned at […]

Configuring Event Logs with Group Policy

I was trolling around GP Editor in Windows 8 and found a set of Administrative Template settings that I had not seen before. Interestingly, those setting did indeed exist in Windows 7 (and probably Vista) so it was just me missing them. Prior to those OS releases, if you want to configure Windows Event Logs […]

Cleaning Group Policy When Removing a Machine from the Domain

A recent thread on Mark Minasi’s forum site reminded me of a topic that comes up every once in a while–namely, how do you cleanly remove Group Policy settings from a machine that has been removed from an AD domain. The answer is to avoid the problem in the first place :). The challenge here is […]

Backing up and restoring the Local GPO

Some of you may have seen a twitter post I did a while back letting folks know about the Security Compliance Manager, which is a tool from Microsoft that lets you manage, edit, report, search and export security templates and baselines. This tool is pretty cool, but it also has a hidden gem in it. […]

On Demand version of the “Securing Desktops…” Webinar available

For those of you who missed the webinar I did yesterday on "Securing Desktops with Group Policy", you can register to view the on-demand version here. If you did attend, thanks for listening! We had a good crowd and lots of good questions!  

Restricted Groups policy

Under the category of "you learn something new every day" I was playing around with some stuff yesterday and finally got a chance to confirm something that someone had posted on the ActiveDir mailing list. We all know about how some policies tattoo the registry. Security policies are typically one of those areas where, if you […]

WPA2 policy support in XP

This topic came up on a newsgroup the other day, prompting me to look around a bit. Basically, MS added support for the newer WPA2 encryption protocol for wireless networks in XP, SP2. This KB article describes the Wireless Client update that you can apply to your XP systems to get them to process those WPA2 policies. But […]