GPO Library on Aperture Zone

Default Domain Policy - Essential corrections

Fri, 01 May 2026 00:00:00 +0000

Default Domain Policy — Essential Changes

The Default Domain Policy provided by Microsoft is a starting point, not a production configuration. I’ll outline changes you should make immediately and others you should definitely leave alone. This Default Domain Policy applies to all objects in the domain. It is created automatically and, by default, contains a password policy and a few Kerberos settings.

First, the golden rule: the Default Domain Policy should contain only the password policy and the account lockout policy. Everything else—firewalls, specific security settings, application configurations—must be configured using dedicated GPOs linked to the appropriate OUs. This is a convention, not a technical constraint; it greatly simplifies troubleshooting and maintenance. If you think a GPO is messing things up, you can simply disable it. If you’ve put everything into a single GPO, well, too bad for you.

GPO - Disable hibernation

Fri, 01 May 2026 00:00:00 +0000

Hibernation can be useful on a laptop. You close the lid, the system saves the state of the RAM to the disk, and you pick up where you left off a few hours later. However, it drains the battery.

On a workstation, it’s a different story. Hibernation reserves a hiberfil.sys file on the system drive whose size is equivalent to the total amount of installed RAM. On a machine with 32 GB of RAM, that’s 32 GB of disk space locked up for a feature that no one will ever use. Another consequence observed in production: updates distributed by an internal WSUS server that require a reboot fail every time. Upon further investigation, you’ll find that after the reboot requested by the update, the uptime counter in Task Manager hasn’t been reset to zero, so the machine hasn’t actually rebooted. Result: WSUS waits for confirmation of the reboot; the machine reports "reboot complete" but technically it hasn’t, and certain multi-stage updates (particularly cumulative updates and kernel security updates) remain stuck indefinitely.

GPO - Eradicate OneDrive

Fri, 01 May 2026 00:00:00 +0000

OneDrive is the perfect example of software you didn’t ask for, don’t want, but keeps coming back anyway. It reinstalls itself, restarts, redirects your folders, and looks you in the eye with a smile while doing it, ready to sync your documents somewhere in the Microsoft cloud. Here’s how to end this toxic relationship.

On a corporate network—or even a personal setup—OneDrive means:

Scheduled tasks running in the background on every machine
A service that generates network traffic even before the user is logged in
Windows folders (Documents, Desktop, Pictures) that have an annoying tendency to migrate to the cloud if you’re not careful
And of course, the "Save documents to OneDrive by default" checkbox enabled by default

The GPO we’re going to create cuts all of this off at the root, in three layers.

GPO - Killing IPv6 once and for all

Fri, 01 May 2026 00:00:00 +0000

I’m not against IPv6; it’s just that on a LAN that doesn’t need it, it’s pointless—it’s a box that’s checked by default in the network card settings that nobody asked for.

We have a LAN. It runs on IPv4. It’s always run on IPv4. It will run on IPv4 until we change our infrastructure or the sun’s heat engulfs the Earth, whichever comes first.

And yet, every time we check a network adapter on a Windows machine, we see this:

GPO - Neutralize Edge

Fri, 01 May 2026 00:00:00 +0000

Let’s be honest: Edge isn’t terrible as a browser. What’s terrible is its behavior in a managed environment. It’s a browser we didn’t choose, one that imposes itself on every new user profile, and runs background services for no reason. With every new user profile, Edge imposes itself as the default browser. Its edgeupdate and edgeupdatem services run constantly in the background, even on machines where no one has opened Edge. Its scheduled tasks restart after certain updates. And if you use Chrome, Opera, Firefox, or any other browser as your default, you have to reconfigure this on every new profile.

GPO - RDP on custom port

Fri, 01 May 2026 00:00:00 +0000

Windows Remote Desktop listens on port 3389. As is well known, this is the first port that automated tools scan when looking for exposed access points. On an internal network isolated behind proper NAT, the risk is limited. But as soon as a machine is accessible from the outside—or simply if you want an extra layer of security with minimal effort—moving RDP to a non-standard port is a simple and effective measure.

GPO - Remote WMI management and scheduled tasks

Fri, 01 May 2026 00:00:00 +0000

It is possible to manage machines remotely without having to disable the firewall. You just need to open the right ports for WMI, DCOM, and RPC—nothing more, nothing less. You can use WMI to query machines remotely—collect system information, run commands, and manage scheduled tasks from the console or a PowerShell script.

When you run a Get-WmiObject command and get the error: "RPC access was denied," the easy solution is to disable the Windows firewall on the target machines. But this is a very bad idea on a network where machines with different trust levels coexist.