Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Prevent access to Safe Mode
Bloque accès to Safe Mode boot options. Empêche unauthorized troubleshooting on MSP-managed systems.
Computer Configuration > Administrative Templates > System > Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable disk quotas
Active disk quota l'application on NTFS volumes. Essential for MSPs managing shared storage and preventing runaway disk usage.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Set default disk quota limit
Establishes default 1GB quota per utilisateur. Autorise MSPs to standardize storage allocation across organizations.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Log event when quota threshold exceeded
Logs warning événements when approaching quota. Active MSP monitoring of disk usage patterns.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable lock screen
Désactive Windows lock screen. Paramètre to 1 goes directly to login. MSPs use on kiosk systems to speed up boot.
User Configuration > Administrative Templates > Control Panel > Personalization
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Log event when quota limit exceeded
Logs critical événements when quota is exceeded. Autorise MSPs to track quota violations.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Deny disk space to users exceeding quota
Empêche writes when utilisateur exceeds quota. Strictly applique storage limits for MSP-managed systems.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow administrators to exceed quota limits
Exempts administrators from quota limits. Ensures MSP administrators can perform necessary operations.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Controller: LDAP server signing requirements
Appliquer LDAP signing requirements on domaine controllers to prevent man-in-the-middle attaques. Paramètre to 2 exige signing. Critical for MSPs securing client Active Directory environments from credential interception.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Extended Protection for Authentication: Require channel binding
Appliquer Extended Protection for Authentication on LDAP connections. Empêche attackers from stealing LDAP credentials through man-in-the-middle attaques. Critical for MSPs managing sensitive client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Remove context menu items
Removes context menu from desktop. Paramètre to 1 désactive right-click menus. MSPs use this to simplify kiosk utilisateur interfaces.
User Configuration > Administrative Templates > Desktop
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP client signing requirements
Configure client-side LDAP signing to negotiate signing with LDAP servers. Paramètre to 1 exige signing when available. Empêche credential theft in hybrid and cloud scenarios MSPs manage.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP channel binding token requirements
Appliquer LDAP channel binding on domaine controllers to prevent LDAP relay attaques. Paramètre to 2 applique channel binding requirements. Essential for MSPs protecting against modern authentification attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous enumeration of SAM accounts
Empêche anonymous utilisateurs from enumerating SAM database. Paramètre to 1 bloque enumeration. Essential for MSPs preventing compte discovery attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP Signing: Negotiate signing
Enable LDAP clients to negotiate signing with servers. Paramètre to 1 active negotiation, 2 exige it. Provides flexibility for gradual deployment across managed environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Controller: Refuse machine account password changes
Controls whether domaine controllers refuse machine compte mot de passe changes. Keep at 0 to allow legitimate mot de passe rotation. Important for MSPs managing domaine security without disrupting trust relationships.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP: Maximum concurrent connections
Limits concurrent LDAP connections to domaine controllers. Set to 0 for unlimited. MSPs use this to prevent DoS attaques on directory services during client migrations and queries.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP over SSL/TLS requirement
Active LDAP over SSL/TLS on domaine controllers. Standard port 636 encrypts all LDAP traffic. Essential for MSPs securing directory queries over untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP: Enable referral chasing
Controls LDAP referral chasing behavior. Paramètre to 0 désactive automatic referral following. MSPs disable this to prevent information disclosure and credential exposure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Shares that can be accessed anonymously
Lists shares accessible via NULL sessions. MSPs keep this empty to prevent anonymous share enumeration and data exposure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Disable SMBv1
Désactive legacy SMBv1 protocol. Paramètre to 0 completely désactive SMBv1. Critical for MSPs eliminating WannaCry/NotPetya attaque vectors from client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Microsoft network server: Digitally sign communications (always)
Exige SMB signing on all connections. Paramètre to 1 applique signing. Essential for MSPs preventing man-in-the-middle attaques on SMB shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Let Everyone permissions apply to anonymous users
Controls whether anonymous utilisateurs inherit Everyone permissions. Keep at 0 to deny anonymous accès. Critical for MSPs preventing unauthenticated enumeration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network Access: UNC Hardened Access (domain systems)
Restreint anonymous NULL session accès to UNC paths. Paramètre to 1 exige authentification. Essential for MSPs blocking WMIEXEC and similar attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →