Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Logon message banner text
Defines legal notice displayed at connexion. Essential for MSP legal compliance and accès stratégies.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Smart card removal behavior
Locks workstation when smart card is removed. Critical for MSPs using smart card authentification.
Computer Configuration > Administrative Templates > Windows Components > Smart Card
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Number of previous logons to cache
Limits cached credentials to 1 for offline connexion. Reduces credential exposure for MSP mobile utilisateurs.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable forced logoff when logon hours expire
Disconnects utilisateurs when connexion heures expire. Applique accès control stratégies for MSP-managed networks.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Display verbose status messages during logon
Shows detailed connexion messages for troubleshooting. Helps MSP technicians diagnose authentification issues.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable automatic restart after logon
Empêche automatic connexion après système restart. Ensures manual authentification for security-sensitive MSP environments.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require domain controller authentication for cached logons
Forces revalidation with domaine controller. Empêche replay attaques on cached credentials in MSP networks.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Clear valid logon history
Ensures mots de passe are not stored in memory. Critical security measure for MSP-managed systems.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Default14
Notifies utilisateur 14 jours avant mot de passe expires. Reduces compte lockouts from expired credentials in MSP organizations.
Recommended14
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Restrict NTLM: Incoming NTLM traffic
Restreint incoming NTLM authentification on the ordinateur. Paramètre to 2 denies NTLM traffic. Critical for MSPs eliminating legacy authentification vectors in client environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Minimum password length
Sets minimum mot de passe length to prevent weak NTLM/NTLMv2 hashes. MSPs appliquer 14+ caractères to mitigate mot de passe cracking against hashed credentials.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: LAN Manager authentication level
Sets minimum NTLM authentification level. Level 5 exige NTLMv2/Kerberos. MSPs set this to eliminate LM hash weaknesses and legacy protocol support.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Configure encryption types allowed for Kerberos
Specifies chiffrement types for Kerberos. Value 2147483644 active strong ciphers only (AES). MSPs use this to eliminate DES/RC4 weak chiffrement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: NTLM SSP Security: Minimum session security
Applique 128-bit chiffrement and NTLMv2 session security. Value 537133056 active both requirements. MSPs use this to prevent downgrade attaques on client authentification.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: NTLM SSP Security: Require NTLMv2 session security
Forces servers to require NTLMv2 session security. Value 537133056 exige both NTLMv2 and chiffrement. Critical for MSPs enforcing authentification baseline across client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →RPC: Restrict Unauthenticated RPC clients
Empêche unauthenticated RPC clients from connecting to the ordinateur. Paramètre to 1 denies NULL sessions. Essential for MSPs blocking anonymous RPC exploitation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →DCOM: Authentication Level
Sets DCOM authentification level to Packet Privacy (6). Exige chiffrement of all DCOM traffic. Critical for MSPs protecting sensitive RPC/DCOM communications.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Allow LocalSystem NULL session fallback
Controls whether LocalSystem can fallback to NULL sessions. Paramètre to 0 désactive fallback. MSPs use this to force authenticated sessions throughout infrastructure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →DCOM: Machine Launch Restrictions (Security Descriptor)
Controls who can launch DCOM applications. Restreindre empêche attackers from launching DCOM objects for privilege escalation or persistence.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →RPC: Enable RPC over named pipes
Controls RPC over named pipes support. Keep enabled for compatibility but combine with authentification paramètres. MSPs monitor this for security posture.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Audit: Audit Other Account Logon Events
Audite NTLM-based authentications and other compte connexion tentatives. Paramètre to 3 logs both success and failure. Essential for MSPs detecting compromised credentials in client environments.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →RPC Endpoint Mapper: Authentication level for unauthenticated connections
Exige authentification for RPC endpoint mapper queries. Paramètre to 1 applique authentification. Critical for MSPs preventing RPC enumeration attaques on client systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Controller: Restrict NTLM: NTLM authentication in this domain
Restreint NTLM usage in the domaine at DC level. Paramètre to 4 denies NTLM and logs tentatives. Critical for MSPs enforcing domaine-wide Kerberos migration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →DCOM: Machine Access Restrictions (Security Descriptor)
Controls DCOM accès permissions at machine level. MSPs restrict this to prevent lateral movement via DCOM exploitation on client workstations.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →