GPO — Group Policy Objects

Ordre dapplication LSDOU  dernier appliqu  prioritaire 
  1 Local LGPO  sur la machine
  2 Site
  3 Domain
  4 OU de la racine vers la feuille
Rgles de conflit 
   Computer Configuration > User Configuration
   Bloc dhritage Block Inheritance empche les GPOs parents
   Enforced No Override ignore le bloc dhritage

# Rafraîchir les GPO (forcer l'application)
gpupdate /force
gpupdate /force /boot   # nécessite un redémarrage
# Voir les GPO appliquées
gpresult /r
gpresult /h C:\gpo-report.html    # rapport HTML complet
gpresult /scope Computer /v       # détail ordinateur
gpresult /scope User /v           # détail utilisateur
gpresult /user {{USER}} /r        # pour un autre utilisateur (admin)
# Modélisation (RSOP)
rsop.msc    # GUI

Import-Module GroupPolicy
# Lister toutes les GPO
Get-GPO -All | Select DisplayName, GpoStatus, CreationTime
# Créer une GPO
New-GPO -Name "Security-Baseline-Workstations"
# Lier une GPO à une OU
New-GPLink -Name "Security-Baseline-Workstations" `
           -Target "OU=Workstations,DC=corp,DC=lan"
# Activer / désactiver
Set-GPLink -Name "Security-Baseline-Workstations" `
           -Target "OU=Workstations,DC=corp,DC=lan" `
           -LinkEnabled Yes
# Rapport d'une GPO
Get-GPOReport -Name "Security-Baseline-Workstations" -ReportType HTML -Path C:\report.html
# Backup / Restore
Backup-GPO -Name "Security-Baseline" -Path C:\GPO-Backups
Restore-GPO -Name "Security-Baseline" -Path C:\GPO-Backups
Backup-GPO -All -Path C:\GPO-Backups   # toutes les GPO

Configuration Computer > Windows Settings > Security Settings > Account Policies > Password Policy
Paramtres recommands 
 Minimum password length  14
 Password complexity  Enabled
 Maximum password age  90 days
 Minimum password age  1 day
 Password history  24
 Store passwords using reversible encryption  Disabled

Account Lockout Policy 
 Account lockout threshold  5
 Account lockout duration  15 minutes
 Reset account lockout counter  15 minutes

Computer Config > Admin Templates > Network > Lanman Workstation
   Enable insecure guest logons  Disabled
Computer Config > Windows Settings > Security Settings > Local Policies > Security Options
   Network security LAN Manager authentication level  
    "Send NTLMv2 response only. Refuse LM & NTLM"
   Network security Minimum session security NTLM SSP  
    "Require NTLMv2 session security, Require 128-bit encryption"

Computer Config > Windows Settings > Security Settings > Advanced Audit Policy
Recommand 
 Account Logon      Success Failure
 Account Management Success Failure
 Logon/Logoff       Success Failure
 Object Access      Failure
 Policy Change      Success
 Privilege Use      Failure
 System             Success Failure

# Appliquer une GPO seulement à certains groupes (Security Filtering)
# Par défaut : Authenticated Users
# Retirer Authenticated Users
Set-GPPermissions -Name "GPO-Admins-Only" `
    -TargetName "Authenticated Users" `
    -TargetType Group `
    -PermissionLevel None
# Ajouter un groupe spécifique
Set-GPPermissions -Name "GPO-Admins-Only" `
    -TargetName "IT-Admins" `
    -TargetType Group `
    -PermissionLevel GpoApply

# Voir les erreurs d'application GPO
Get-WinEvent -FilterHashtable @{LogName='System'; Source='Group Policy'} -MaxEvents 20
# Tester sans appliquer (mode planning)
Get-GPResultantSetOfPolicy -Computer {{TARGET}} -User {{USER}} `
    -Mode Planning -ReportType HTML -Path C:\rsop.html
# GPO non appliquée — vérifier
# 1. Le lien est-il activé ?
Get-GPLink -All
# 2. Le filtrage de sécurité est-il correct ?
Get-GPPermissions -Name "Ma-GPO" -All
# 3. WMI filter actif ?
(Get-GPO -Name "Ma-GPO").WmiFilter