{"id":6436,"date":"2020-02-04T23:05:43","date_gmt":"2020-02-04T23:05:43","guid":{"rendered":"https:\/\/www.n-able.com\/?p=6436"},"modified":"2021-07-13T10:39:19","modified_gmt":"2021-07-13T09:39:19","slug":"token-based-authentication","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication","title":{"rendered":"Group Policy Management and Troubleshooting Best Practices"},"content":{"rendered":"<p>Cybersecurity has defined the tech space over the past decade, and\u00a0we don\u2019t anticipate that changing any time soon. It\u2019s likely cybersecurity threats will only get more advanced in 2020 as the digital landscape continues to evolve, and customers will become even more concerned about the security of their devices. Managed services providers (MSPs) will need to make sure their cybersecurity threat and data breach protocols are up to the challenge.<\/p>\n<p>Luckily, we\u2019ve seen a lot of MSPs take big steps in the right direction.\u00a0<a href=\"https:\/\/www.n-able.com\/blog\/two-factor-authentication\">Two-factor authentication (2FA)<\/a>, for example, is a great way for MSPs to encourage their customers to add an additional layer of security to their personal devices. What else can you do to\u00a0<a href=\"https:\/\/www.n-able.com\/blog\/cyber-security-issues\">improve operational security for your customers<\/a>? Regulating user permissions with Microsoft\u2019s Group Policy is a great place to start.<\/p>\n<h3><b>What is Group Policy?<\/b><\/h3>\n<p>Microsoft Group Policy is a network security tool that allows system administrators to implement certain security configurations across all users and all computers within a network. The security policies, configurations, and settings that Group Policy deploys are called Group Policy Objects (GPOs), which can be managed from a specific Group Policy Management Console or command-line interface tool. Even though GPOs can be applied directly from a Windows computer, it\u2019s much more common to do so using Active Directory because you can centrally manage Active Directory-based GPOs as opposed to using a domain controller. Make sure you familiarize yourself with Active Directory before diving into Group Policy\u2014you might find it easier to work with in the long run.<\/p>\n<p>There are three different kinds of GPOs\u2014local Group Policy Objects, non-local Group Policy Objects, and starter Group Policy Objects. You can combine all three of these varieties to create a security policy that fits your customers\u2019 needs, so don\u2019t feel pressured to commit to one type.<\/p>\n<p>Local Group Policy Objects are policy objects that can only be applied to local computers and the users who log in to that computer, and they come preinstalled with Windows computers. Non-local Group Policy Objects, on the other hand, are GPOs that are applied to more than one computer or user, but only if they are linked to Active Directory. Starter Group Policy objects are templates for Group Policy that allow MSPs and sysadmins to build their own preconfigured settings that can be used as the building blocks for policies they want to make in the future.<\/p>\n<h3><b>What can you do with Group Policy?<\/b><\/h3>\n<p>Group Policy can be applied to a variety of different use cases, from implementing a company desktop wallpaper on all computers to making sure that only certain users have access to certain servers. This tool is especially useful for customers with a lot of workstations to maintain or with many employees spread out across the globe. With just a few keystrokes from one centralized location, MSPs can regulate user permissions and make sure everyone has access to what they need\u2014and nothing they don\u2019t.<\/p>\n<p>From a nonsecurity standpoint, you could also:<\/p>\n<ul>\n<li>Assign network printers to certain users so they are prioritized amongst the list of available printers upon login<\/li>\n<li>Set all computer displays to turn off after a certain time of day in order to conserve energy<\/li>\n<li>Specify what home pages pop up when users open their internet browser<\/li>\n<\/ul>\n<p>Aside from enabling quick and easy deployments across hundreds or even thousands of workstations within your domain, how does Group Policy actually work?<\/p>\n<p>Group Policy applies Group Policy Objects to the organizational units (OUs) you have already designated for your system using Active Directory. A standard OU contains domain administrators, domain users, and servers. The GPO settings will apply to everything within the OU, but it is also possible to apply a GPO to only one or two objects within the OU by changing the security filters. It\u2019s important to know that GPOs are applied recursively, meaning that any changes or settings applied to a parent OU will also be applied to sub-OUs and other objects within the domain.<\/p>\n<p>The benefits of Group Policy include, but certainly are not limited to, efficient and centralized management, easy administration, and better\u00a0<a href=\"https:\/\/www.n-able.com\/blog\/password-management?promo=blog\">password management<\/a>\u00a0and enforcement. You need to set, maintain, and enforce strict password management policies in order to keep your customers\u2019 networks safe\u2014but that can be hard to do across a lot of users and computers without the right tools. With Group Policy, you can predetermine password length and other requirements so you never have to worry about whether or not all the users within the domain are employing password management best practices.<\/p>\n<p>However, Group Policy Objects do come with some technical limitations. These limitations shouldn\u2019t be deal breakers for MSPs, but they are still worth taking into account. GPOs have to process actions in sequential order\u2014local, site, domain, then organizational unit. Thus, configuring multiple GPOs can cause a bottleneck, which can negatively impact end-user experience. GPOs cannot react to sudden changes in the domain environment like network outages because they are programmed to only make changes upon startup, login, or at set intervals. You also can\u2019t search for specific settings within a GPO, which can make GPO troubleshooting difficult. Despite these limitations, Group Policy still brings tremendous security benefits and can help ensure MSPs are helping their customers to the best of their ability.<\/p>\n<h3><b>Group Policy best practices<\/b><\/h3>\n<p>Group Policy troubleshooting becomes trickier if you have multiple GPOs spread out across an entire environment. When your customers\u2019 confidential information and overall data breach preparedness are at stake, you must make sure that you\u2019re doing everything you can to get the most out of Group Policy.<\/p>\n<p>To help MSPs, we\u2019ve compiled a list of the top seven Group Policy best practices for 2020. Keep in mind that every Group Policy configuration and Active Directory environment is different, so as you become more comfortable with the technology you\u2019ll be able to determine exactly what works best for you and your customers. Our most tried-and-true Group Policy best practices provide a strong starting point for you to supplement with your own findings.<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><em>GPO Best Practice #1: Don\u2019t set GPOs at the domain level<\/em>Remember that GPO settings will populate to anything and everything within the domain. If you configure GPOs at the domain level, you might end up applying settings to objects you didn\u2019t intend to. It\u2019s safer to apply your settings at a more granular level and make changes as you go along, rather than applying them across the board and retroactively trying to fix your work when problems arise. The only GPO setting that should be applied at the domain level is the Default Domain Policy.<\/li>\n<li><em>GPO Best Practice #2: Apply GPOs to OUs at the root level<\/em>A GPO\u2019s recursive structure works in your favor when it comes to working with OUs. In this scenario, you want sub-OUs to inherit the policies from the parent OU, and you don\u2019t want to link each policy to an OU individually. Feel free to apply GPOs in broad strokes here. If you have computers or users you don\u2019t want to inherit a setting, you can isolate them in their own OU and apply a specific policy directly to it.<\/li>\n<li><em>GPO Best Practice #3: Make sure you\u2019re using a solid OU structure<\/em>Group Policy management and troubleshooting gets complicated when your OUs aren\u2019t ordered in a logical manner in Active Directory. How exactly you go about this is up to you, but never mix different types of AD objects within the same OU. Instead, try to break out computers and users into their own OUs and then make sub-OUs for different uses and departments.<\/li>\n<li><em>GPO Best Practice #4: Integrate change management with Group Policy<\/em>It\u2019s extremely important to find a way to keep track of the changes made with Group Policy. Ensuring that only certain people have system administrator access to make changes to GPOs can help reduce confusion, but it can still be hard to keep track of changes because standard logging won\u2019t tell you which settings have been changed and how. It\u2019s not feasible to set off an entire change management chain reaction for each change, but MSPs should at least set up email alerts for critical GPOs.<\/li>\n<li><em>GPO Best Practice #5: Break down GPOs into smaller chunks<\/em>An argument can be made for using one large GPO in your domain, but that approach often does more harm than good. Although loading many small GPOs takes a little more time to load, that\u2019s a small price to pay for easier troubleshooting, implementation, and design. Try breaking down GPOs into Security Settings, Network Settings, and Browser settings to start.<\/li>\n<li><em>GPO Best Practice #6: Don\u2019t disable GPOs<\/em>Permanently disabling a GPO will remove the setting from your entire environment, which could be a problem if that particular GPO is doing just fine in another OU. Instead, delete the particular troublesome GPO link from the OU instead of disabling the GPO altogether.<\/li>\n<li><em>GPO Best Practice #7: Use descriptive or creative GPO names<\/em>Don\u2019t underestimate the power of having easily identifiable GPO names. Avoid generic GPO names like \u201cpc settings\u201d and opt for more descriptive names that reference what the GPO is being used for\u2014not what the GPO is being linked to. Need a suggestion? Use the \u201cU_\u201d prefix in the GPO name for policies that will be applied to user accounts, \u201cC_\u201d for computer accounts, and \u201cCU_\u201d for both.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><b>For more information on Group Policy and Active Directory read through our\u00a0<a class=\"ext\" href=\"https:\/\/hermes.n-able.com\/blog\/search?keywords=%22active%20directory%22\" target=\"_blank\" rel=\"noopener noreferrer\">related blog articles<\/a>.\u00a0<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn what common group policy best practices you can implement to ensure your end users have appropriate permissions for their environment.<\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-6436","post","type-post","status-publish","format-standard","hentry","topic-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Group Policy Management and Troubleshooting Best Practices - N-able<\/title>\n<meta name=\"description\" content=\"Learn what common group policy best practices you can implement to ensure your end users have appropriate permissions for their environment.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Group Policy Management and Troubleshooting Best Practices - N-able\" \/>\n<meta property=\"og:description\" content=\"Learn what common group policy best practices you can implement to ensure your end users have appropriate permissions for their environment.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication\" \/>\n<meta property=\"og:site_name\" content=\"N-able\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/NableMSP\" \/>\n<meta property=\"article:published_time\" content=\"2020-02-04T23:05:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-13T09:39:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/03\/share-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"N-able\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Nable\" \/>\n<meta name=\"twitter:site\" content=\"@Nable\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"N-able\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"7\u00a0Minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication\"},\"author\":{\"name\":\"N-able\",\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b\"},\"headline\":\"Group Policy Management and Troubleshooting Best Practices\",\"datePublished\":\"2020-02-04T23:05:43+00:00\",\"dateModified\":\"2021-07-13T09:39:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication\"},\"wordCount\":1600,\"publisher\":{\"@id\":\"https:\/\/www.n-able.com\/de#organization\"},\"articleSection\":[\"Security\"],\"inLanguage\":\"de\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication\",\"url\":\"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication\",\"name\":\"Group Policy Management and Troubleshooting Best Practices - N-able\",\"isPartOf\":{\"@id\":\"https:\/\/www.n-able.com\/de#website\"},\"datePublished\":\"2020-02-04T23:05:43+00:00\",\"dateModified\":\"2021-07-13T09:39:19+00:00\",\"description\":\"Learn what common group policy best practices you can implement to ensure your end users have appropriate permissions for their environment.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Security\",\"item\":\"https:\/\/www.n-able.com\/de\/blog\/category\/security\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Group Policy Management and Troubleshooting Best Practices\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.n-able.com\/de#website\",\"url\":\"https:\/\/www.n-able.com\/de\",\"name\":\"N-able\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.n-able.com\/de#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.n-able.com\/de?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.n-able.com\/de#organization\",\"name\":\"N-able\",\"url\":\"https:\/\/www.n-able.com\/de\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg\",\"contentUrl\":\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"N-able\"},\"image\":{\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/NableMSP\",\"https:\/\/x.com\/Nable\",\"https:\/\/www.linkedin.com\/company\/n-able\",\"https:\/\/www.youtube.com\/channel\/UClnp77HHg4aME-S-3fWQhFw\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b\",\"name\":\"N-able\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"caption\":\"N-able\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Group Policy Management and Troubleshooting Best Practices - N-able","description":"Learn what common group policy best practices you can implement to ensure your end users have appropriate permissions for their environment.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication","og_locale":"de_DE","og_type":"article","og_title":"Group Policy Management and Troubleshooting Best Practices - N-able","og_description":"Learn what common group policy best practices you can implement to ensure your end users have appropriate permissions for their environment.","og_url":"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication","og_site_name":"N-able","article_publisher":"https:\/\/www.facebook.com\/NableMSP","article_published_time":"2020-02-04T23:05:43+00:00","article_modified_time":"2021-07-13T09:39:19+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/03\/share-image.jpg","type":"image\/jpeg"}],"author":"N-able","twitter_card":"summary_large_image","twitter_creator":"@Nable","twitter_site":"@Nable","twitter_misc":{"Verfasst von":"N-able","Gesch\u00e4tzte Lesezeit":"7\u00a0Minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication#article","isPartOf":{"@id":"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication"},"author":{"name":"N-able","@id":"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b"},"headline":"Group Policy Management and Troubleshooting Best Practices","datePublished":"2020-02-04T23:05:43+00:00","dateModified":"2021-07-13T09:39:19+00:00","mainEntityOfPage":{"@id":"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication"},"wordCount":1600,"publisher":{"@id":"https:\/\/www.n-able.com\/de#organization"},"articleSection":["Security"],"inLanguage":"de"},{"@type":"WebPage","@id":"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication","url":"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication","name":"Group Policy Management and Troubleshooting Best Practices - N-able","isPartOf":{"@id":"https:\/\/www.n-able.com\/de#website"},"datePublished":"2020-02-04T23:05:43+00:00","dateModified":"2021-07-13T09:39:19+00:00","description":"Learn what common group policy best practices you can implement to ensure your end users have appropriate permissions for their environment.","breadcrumb":{"@id":"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.n-able.com\/de\/blog\/token-based-authentication"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.n-able.com\/de\/blog\/token-based-authentication#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Security","item":"https:\/\/www.n-able.com\/de\/blog\/category\/security"},{"@type":"ListItem","position":2,"name":"Group Policy Management and Troubleshooting Best Practices"}]},{"@type":"WebSite","@id":"https:\/\/www.n-able.com\/de#website","url":"https:\/\/www.n-able.com\/de","name":"N-able","description":"","publisher":{"@id":"https:\/\/www.n-able.com\/de#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.n-able.com\/de?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.n-able.com\/de#organization","name":"N-able","url":"https:\/\/www.n-able.com\/de","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/","url":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg","contentUrl":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg","width":"1024","height":"1024","caption":"N-able"},"image":{"@id":"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/NableMSP","https:\/\/x.com\/Nable","https:\/\/www.linkedin.com\/company\/n-able","https:\/\/www.youtube.com\/channel\/UClnp77HHg4aME-S-3fWQhFw"]},{"@type":"Person","@id":"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b","name":"N-able","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","caption":"N-able"}}]}},"_links":{"self":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/posts\/6436","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/comments?post=6436"}],"version-history":[{"count":0,"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/posts\/6436\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/media?parent=6436"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}