Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Using Group Policies to Lock Down user PC's

  • Please log in to reply
2 replies to this topic


  • Member
  • 1 posts
  • Joined 07-September 12
  • OS:Server 2008 x64
  • Country: Country Flag
Server Windows SBS 2008 R2
User Computers: Windows 7

One of our clients is now requiring us to harden (I think is the correct term) our network and user PC's. More specifically our client PC's, I need to find a guide to lock down everything from screen savers to access to the control panel and network tree.

Does anyone know of a reputable site that explains how to do this? Or even a good youtube video… Also, my supervisor is adamant that I make sure that any group policy put in place will not affect any unintended functions. Which is in itself quite hard, as I know very little about group policies, but i will once again ask for any information the tech community has on this subject.

As always any help is greatly appreciated,


How to remove advertisement from MSFN



    Gustatus similis pullus

  • Patrons
  • 11,031 posts
  • Joined 09-September 01
  • OS:Windows 10 x64
  • Country: Country Flag


Microsoft has a utility called Security Compliance Manager (SCM), with baselines that you can download covering all sorts of secure scenarios across different products and operating system combinations. The policies are fully tested and supported by Microsoft, so you should be safe even if you're unsure how some of them work (and if you run into issues - they're supported by Microsoft, so you can always reach out to them without worry you've broken something in an unsupported way that's causing it). Be aware that security lock down can affect functionality, so knowing WHY you're locking things down beyond what is done out of the box is always the best place to start.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!


  • Member
  • 8 posts
  • Joined 30-August 12
  • OS:Windows 7 x64
  • Country: Country Flag
Also if possible I would personally setup a virtual DC on your PC using NAT and a client ot test everything before pushing it out to the network. some of the GPOs can get unruly even with good test enviro.

It is always best to test them out and watch the rsop.msc / gpresult to see if anything is conflicting or just not working for whatever reason.

This is starting to sound like a diatribe but I want to make sure I steer you in the right direction and not to make some of the same mistakes a lot of us have with GPOs.

Get Group Policy Manager Console (GPMC) for your domain control if your on 2003 if your on 2008 I believe it already comes installed by default.

Also do not ever change the default domain GPO or the domain GPO. This is just a rule of thumb as they are basically templates for the DC. I personally make separate GPOs for different things such as servers, client PCs, Users, and other various things, keeping in mind that to many GPOs can clog up the users log on time. This is true for either large GPOs or to many while logging in. You can always alleviate this by writing scripts that run from a GPO after login, but all in all you don't want to affect the user experience to much or you will start getting calls like crazy.

Good luck with the GPO implementing.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users