Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Display logon message banner
Shows banner message avant connexion. Critical for MSP compliance with legal notice requirements.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Logon message banner text
Defines legal notice displayed at connexion. Essential for MSP legal compliance and accès stratégies.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Smart card removal behavior
Locks workstation when smart card is removed. Critical for MSPs using smart card authentification.
Computer Configuration > Administrative Templates > Windows Components > Smart Card
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Controller: LDAP server signing requirements
Appliquer LDAP signing requirements on domaine controllers to prevent man-in-the-middle attaques. Paramètre to 2 exige signing. Critical for MSPs securing client Active Directory environments from credential interception.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Number of previous logons to cache
Limits cached credentials to 1 for offline connexion. Reduces credential exposure for MSP mobile utilisateurs.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Enable forced logoff when logon hours expire
Disconnects utilisateurs when connexion heures expire. Applique accès control stratégies for MSP-managed networks.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Extended Protection for Authentication: Require channel binding
Appliquer Extended Protection for Authentication on LDAP connections. Empêche attackers from stealing LDAP credentials through man-in-the-middle attaques. Critical for MSPs managing sensitive client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Display verbose status messages during logon
Shows detailed connexion messages for troubleshooting. Helps MSP technicians diagnose authentification issues.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable automatic restart after logon
Empêche automatic connexion après système restart. Ensures manual authentification for security-sensitive MSP environments.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require domain controller authentication for cached logons
Forces revalidation with domaine controller. Empêche replay attaques on cached credentials in MSP networks.
Computer Configuration > Administrative Templates > System > Logon
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Clear valid logon history
Ensures mots de passe are not stored in memory. Critical security measure for MSP-managed systems.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Default14
Notifies utilisateur 14 jours avant mot de passe expires. Reduces compte lockouts from expired credentials in MSP organizations.
Recommended14
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Restrict NTLM: Incoming NTLM traffic
Restreint incoming NTLM authentification on the ordinateur. Paramètre to 2 denies NTLM traffic. Critical for MSPs eliminating legacy authentification vectors in client environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP client signing requirements
Configure client-side LDAP signing to negotiate signing with LDAP servers. Paramètre to 1 exige signing when available. Empêche credential theft in hybrid and cloud scenarios MSPs manage.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP channel binding token requirements
Appliquer LDAP channel binding on domaine controllers to prevent LDAP relay attaques. Paramètre to 2 applique channel binding requirements. Essential for MSPs protecting against modern authentification attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Restrict anonymous enumeration of SAM accounts
Empêche anonymous utilisateurs from enumerating SAM database. Paramètre to 1 bloque enumeration. Essential for MSPs preventing compte discovery attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP Signing: Negotiate signing
Enable LDAP clients to negotiate signing with servers. Paramètre to 1 active negotiation, 2 exige it. Provides flexibility for gradual deployment across managed environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Controller: Refuse machine account password changes
Controls whether domaine controllers refuse machine compte mot de passe changes. Keep at 0 to allow legitimate mot de passe rotation. Important for MSPs managing domaine security without disrupting trust relationships.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP: Maximum concurrent connections
Limits concurrent LDAP connections to domaine controllers. Set to 0 for unlimited. MSPs use this to prevent DoS attaques on directory services during client migrations and queries.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP over SSL/TLS requirement
Active LDAP over SSL/TLS on domaine controllers. Standard port 636 encrypts all LDAP traffic. Essential for MSPs securing directory queries over untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →LDAP: Enable referral chasing
Controls LDAP referral chasing behavior. Paramètre to 0 désactive automatic referral following. MSPs disable this to prevent information disclosure and credential exposure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Minimum password length
Sets minimum mot de passe length to prevent weak NTLM/NTLMv2 hashes. MSPs appliquer 14+ caractères to mitigate mot de passe cracking against hashed credentials.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: LAN Manager authentication level
Sets minimum NTLM authentification level. Level 5 exige NTLMv2/Kerberos. MSPs set this to eliminate LM hash weaknesses and legacy protocol support.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Configure encryption types allowed for Kerberos
Specifies chiffrement types for Kerberos. Value 2147483644 active strong ciphers only (AES). MSPs use this to eliminate DES/RC4 weak chiffrement.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →