This is a set of logically grouped Group Policy Objects designed for import into Active Directory. These policies can be used on existing infrastructure, but they are designed for use during the initial deployment of domain infrastructure.
Security policies in OrgKit are fairly modern and may block access to aging or misconfigured network devices like SAN or NAS appliances. Please understand the individual security settings before using them.
With over 12000 individual policies to select from and innumerable ways to approach the task, fully implementing a managed environment with Group Policy can be a large undertaking.
For this reason, every company's configuration becomes bespoke, based on administrator preferences, and only fully supportable by them. There is no durable, comprehensive public baseline of Group Policy. Although considerably aging compared to modern management tools, there remains no reasonable and supportable replacement for this technology, and it's indispensable to the durable network.
Group Policy's incredible power also means most organizations have admins who are afraid to, or prevented from, fully exploring and utilizing it. OrgKit's mission is to be a referenceable public proof of a highly-detailed implementation, rather than a listing of best-practices and what-ifs.
You will need to review and then assign each Group Policy to the appropriate OUs yourself.
Certain GPOs may require additional customization for them to function in your environment. For example, you may need to put in your Office365 Tenant GUID for certain OneDrive restrictions to be properly assigned.
Do not edit the default Group Policies
This design goes against common advice to limit Group Policy Object numbers as much as possible. There is a large risk here as administrators may not understand the complex interplay of precedence and the full end-result of their selections. However, this is based on my personal preference in maintaining a domain with logical separation of settings. This allows categories to be not applied to testing machines or limit the scope of change approvals. Change processes in large organizations inform many decisions about the heavy segmentation of policies between many Group Policy Objects.
With the (general) separation of User and Computer policies, this design leaves open the option for Group Policy Loopback Processing in training lab environments.
Most policy comments will include a unique identifier called 'OrgKitID'. This allows you to quickly identify a policy and its current recommended status via web search.
Note: This is a roadmap vision and does not list the GPOs currently available.
Settings for Chrome and Firefox.
Settings for Edge.
Settings for Internet Explorer.
Settings for Firefox.
Settings for Windows Defender on the client. This should not be disabled, even if a different antivirus is installed. If needed, Defender will be automatically disabled on the systems. Defender should never be administratively disabled.
OrgKitGpoId: f77e39ce-afae-4705-b2f6-43b15ab8ad86
User experience settings for Office.
Security settings for Office.
Windows audit security settings.
Applied to the 'Domain Users' and 'Domain Computer' OU. Allows designated Helpdesk Engineers to add new "quick-fix engineering" changes to Group Policy, without having the power to edit the primary policies, which have final engineering control by Windows System Engineers.
Settings which configure maintenance tasks and run periodic tasks on client machines to maintain them.
A limited set of domain-wide settings which are required for all machines. Things such as enabling a minimum protocol negotiation level.
Domain Controllers security settings and configuration for communicating with clients.
Domain Controllers policy which will be applied to a subset of domain controllers first, for incremental testing.
Directory Controller-specific Active Directory, system integrity auditing settings, and log forwarding, which are much more stringent than on a normal server or client PC.
Servers may need specialized antivirus settings due to performance concerns and troubleshooting, so this policy is separated out.
Controls 'Microsoft Local Administrator Password Solution' deployed to client machines https://technet.microsoft.com/en-us/mt227395.aspx https://www.starwindsoftware.com/blog/deploying-microsoft-laps