Group Policy Resources for IT Security

Information Assurance (IA) provides a collection of Windows Active Directory (AD) Group Policy Objects (GPOs) (U-M login required). Use them as a starting point for securing computers connected to AD (UMROOT), as well as AD user accounts. GPOs are provided "as-is" as templates for system administrators to use as a guide for creating their own policies. They may be helpful in meeting the IA-recommended CIS-CAT score of 80% and/or the expectations listed in the Minimum Information Security Requirements for U-M information systems.

Use of these GPOs does not guarantee compliance with U-M IT security policies and standards or other contractual and regulatory requirements. You are responsible for performing assessments of your systems to ensure compliance.

Prerequisites for Using IA-Provided GPOs

To use these GPOs members of the U-M community need to:

  • Have a U-M uniqname and UMICH (Level-1) password to access the list of GPOs.
  • Have an AD account to view the GPOs in AD (UMROOT).
  • Have an Organizational Unit in AD in which you have the right to create, link, and edit GPOs. Contact your departmental IT staff if you need assistance with tasks in Active Directory.

Best Practices for Using IA-Provided GPOs

  • Link to the GPOs only for testing purposes. If you have computers you would like to test the GPOs on, link the GPOs directly to them. Test the important functionality of any system you link them to, such as key applications, connectivity, or access to data.
  • Do not link the GPOs to production computers. These GPOs are subject to change or deletion without notice, and may cause unintended problems with some systems.
  • Make a copy of the GPOs for your own use and editing. Use Backup (on the source GPO) and Import (on a new GPO in your OU) to create your own copy of any IA-provided GPO you wish to use for more than short-term testing. Copy the GPO settings to a new GPO linked to your OU, and make any edits there.
  • Update any Windows Management Instrumentation (WMI) filters that may apply to your system(s). If you are using WMI filters to help govern how settings are applied in your Windows environment, be aware that you need to create, adjust, add or remove them yourself when you create your copies of these GPOs.
  • Run GPUPDATE.exe /force, then reboot your system.
  • Re-run CIS-CAT. IA recommends that you use CIS-CAT to benchmark your systems, and that you run it before and after applying these (or any) GPOs to your Windows systems.

You are welcome to customize the GPOs yourself to meet the particular needs of your unit or project. If you have comments or suggestions for general improvement of the GPOs, you can contact IA through the ITS Service Center.

Access the list of IA GPOs in Google docs. (U-M login required)